-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
527 lines (277 loc) · 445 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Kevin's Notes</title>
<subtitle>Quick notes</subtitle>
<link href="https://freemankevin.uk/atom.xml" rel="self"/>
<link href="https://freemankevin.uk/"/>
<updated>2025-01-15T09:47:19.467Z</updated>
<id>https://freemankevin.uk/</id>
<author>
<name>Freeman Kevin</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>如何在Kubernetes 环境中部署ArgoCD</title>
<link href="https://freemankevin.uk/2025/01/15/k8s-argocd/"/>
<id>https://freemankevin.uk/2025/01/15/k8s-argocd/</id>
<published>2025-01-15T09:47:25.000Z</published>
<updated>2025-01-15T09:47:19.467Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍如何在 Kubernetes 集群中部署高可用的 ArgoCD,包括客户端工具安装、服务端部署、TLS 配置、用户认证、RBAC 权限管理等完整的部署和配置流程。</p><span id="more"></span><h2 id="环境要求"><a href="#环境要求" class="headerlink" title="环境要求"></a>环境要求</h2><h3 id="基础环境"><a href="#基础环境" class="headerlink" title="基础环境"></a>基础环境</h3><ul><li>Kubernetes 集群 (版本 >= 1.21)</li><li>至少三个 Worker 节点(用于 HA 部署)</li><li>可用的持久化存储</li><li>集群负载均衡能力</li></ul><h3 id="版本选择"><a href="#版本选择" class="headerlink" title="版本选择"></a>版本选择</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看版本兼容性</span></span><br><span class="line"><span class="comment"># https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#tested-versions</span></span><br></pre></td></tr></table></figure><h2 id="客户端安装"><a href="#客户端安装" class="headerlink" title="客户端安装"></a>客户端安装</h2><h3 id="下载安装"><a href="#下载安装" class="headerlink" title="下载安装"></a>下载安装</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 下载 ArgoCD CLI</span></span><br><span class="line">curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/v2.9.2/argocd-linux-amd64</span><br><span class="line"></span><br><span class="line"><span class="comment"># 安装到系统目录</span></span><br><span class="line"><span class="built_in">sudo</span> install -m 555 argocd-linux-amd64 /usr/local/bin/argocd</span><br><span class="line"><span class="built_in">rm</span> argocd-linux-amd64</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证安装</span></span><br><span class="line">argocd version</span><br></pre></td></tr></table></figure><h3 id="多节点部署"><a href="#多节点部署" class="headerlink" title="多节点部署"></a>多节点部署</h3><p>在所有需要使用 ArgoCD CLI 的节点上执行安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 分发 CLI 到其他节点(根据实际环境修改节点名称)</span></span><br><span class="line"><span class="keyword">for</span> node <span class="keyword">in</span> <node1> <node2> <node3>; <span class="keyword">do</span></span><br><span class="line"> scp /usr/local/bin/argocd <span class="variable">$node</span>:/usr/local/bin/</span><br><span class="line"> ssh <span class="variable">$node</span> <span class="string">"chmod +x /usr/local/bin/argocd"</span></span><br><span class="line"><span class="keyword">done</span></span><br></pre></td></tr></table></figure><h2 id="服务端部署"><a href="#服务端部署" class="headerlink" title="服务端部署"></a>服务端部署</h2><h3 id="准备命名空间"><a href="#准备命名空间" class="headerlink" title="准备命名空间"></a>准备命名空间</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建专用命名空间</span></span><br><span class="line">kubectl create namespace argocd</span><br></pre></td></tr></table></figure><h3 id="部署-ArgoCD"><a href="#部署-ArgoCD" class="headerlink" title="部署 ArgoCD"></a>部署 ArgoCD</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 添加 Helm 仓库</span></span><br><span class="line">helm repo add argo https://argoproj.github.io/argo-helm</span><br><span class="line">helm repo update</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建配置文件 values.yaml</span></span><br><span class="line"><span class="built_in">cat</span> > values.yaml <<<span class="string">EOF</span></span><br><span class="line"><span class="string"># 全局配置</span></span><br><span class="line"><span class="string">global:</span></span><br><span class="line"><span class="string"> image:</span></span><br><span class="line"><span class="string"> repository: quay.io/argoproj/argocd</span></span><br><span class="line"><span class="string"> tag: v2.9.2</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># HA 配置</span></span><br><span class="line"><span class="string">controller:</span></span><br><span class="line"><span class="string"> replicas: 2</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">server:</span></span><br><span class="line"><span class="string"> replicas: 2</span></span><br><span class="line"><span class="string"> service:</span></span><br><span class="line"><span class="string"> type: NodePort</span></span><br><span class="line"><span class="string"> nodePortHttp: <HTTP_PORT> # 例如:30884</span></span><br><span class="line"><span class="string"> nodePortHttps: <HTTPS_PORT> # 例如:30885</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># Redis HA 配置</span></span><br><span class="line"><span class="string">redis-ha:</span></span><br><span class="line"><span class="string"> enabled: true</span></span><br><span class="line"><span class="string"> persistentVolume:</span></span><br><span class="line"><span class="string"> enabled: true</span></span><br><span class="line"><span class="string"> size: 8Gi</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># 认证配置</span></span><br><span class="line"><span class="string">dex:</span></span><br><span class="line"><span class="string"> enabled: true</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"># 资源限制</span></span><br><span class="line"><span class="string">resources:</span></span><br><span class="line"><span class="string"> limits:</span></span><br><span class="line"><span class="string"> cpu: 500m</span></span><br><span class="line"><span class="string"> memory: 512Mi</span></span><br><span class="line"><span class="string"> requests:</span></span><br><span class="line"><span class="string"> cpu: 250m</span></span><br><span class="line"><span class="string"> memory: 256Mi</span></span><br><span class="line"><span class="string">EOF</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 安装 ArgoCD</span></span><br><span class="line">helm install argocd argo/argo-cd \</span><br><span class="line"> --namespace argocd \</span><br><span class="line"> --values values.yaml</span><br></pre></td></tr></table></figure><h3 id="验证部署"><a href="#验证部署" class="headerlink" title="验证部署"></a>验证部署</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查 Pod 状态</span></span><br><span class="line">kubectl get pods -n argocd</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查服务状态</span></span><br><span class="line">kubectl get svc -n argocd</span><br></pre></td></tr></table></figure><h2 id="访问配置"><a href="#访问配置" class="headerlink" title="访问配置"></a>访问配置</h2><h3 id="暴露服务"><a href="#暴露服务" class="headerlink" title="暴露服务"></a>暴露服务</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 配置 NodePort 访问(端口号根据实际情况调整)</span></span><br><span class="line">kubectl patch svc argocd-server -n argocd -p <span class="string">'{</span></span><br><span class="line"><span class="string"> "spec": {</span></span><br><span class="line"><span class="string"> "type": "NodePort",</span></span><br><span class="line"><span class="string"> "ports": [</span></span><br><span class="line"><span class="string"> {"nodePort": <HTTP_PORT>, "port": 80},</span></span><br><span class="line"><span class="string"> {"nodePort": <HTTPS_PORT>, "port": 443}</span></span><br><span class="line"><span class="string"> ]</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string">}'</span></span><br></pre></td></tr></table></figure><h3 id="配置-DNS"><a href="#配置-DNS" class="headerlink" title="配置 DNS"></a>配置 DNS</h3><p>在 CoreDNS 中添加解析:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 编辑 CoreDNS 配置</span></span><br><span class="line"><span class="string">kubectl</span> <span class="string">-n</span> <span class="string">kube-system</span> <span class="string">edit</span> <span class="string">cm</span> <span class="string">coredns</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 添加以下配置(替换为实际的 IP 和域名)</span></span><br><span class="line"><span class="string">hosts</span> {</span><br><span class="line"> <span class="string"><NODE_IP></span> <span class="string"><ARGOCD_DOMAIN></span> <span class="comment"># 例如:argocd.example.com</span></span><br><span class="line"> <span class="string">fallthrough</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment"># 重启 CoreDNS</span></span><br><span class="line"><span class="string">kubectl</span> <span class="string">delete</span> <span class="string">pod</span> <span class="string">-n</span> <span class="string">kube-system</span> <span class="string">-l</span> <span class="string">k8s-app=kube-dns</span></span><br></pre></td></tr></table></figure><h2 id="初始配置"><a href="#初始配置" class="headerlink" title="初始配置"></a>初始配置</h2><h3 id="获取初始密码"><a href="#获取初始密码" class="headerlink" title="获取初始密码"></a>获取初始密码</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 获取管理员密码</span></span><br><span class="line">kubectl -n argocd get secret argocd-initial-admin-secret \</span><br><span class="line"> -o jsonpath=<span class="string">"{.data.password}"</span> | <span class="built_in">base64</span> -d</span><br></pre></td></tr></table></figure><h3 id="修改密码"><a href="#修改密码" class="headerlink" title="修改密码"></a>修改密码</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 登录 ArgoCD(使用实际的域名和端口)</span></span><br><span class="line">argocd login <ARGOCD_DOMAIN>:<PORT></span><br><span class="line"></span><br><span class="line"><span class="comment"># 修改密码</span></span><br><span class="line">argocd account update-password</span><br></pre></td></tr></table></figure><h2 id="RBAC-配置"><a href="#RBAC-配置" class="headerlink" title="RBAC 配置"></a>RBAC 配置</h2><h3 id="角色配置"><a href="#角色配置" class="headerlink" title="角色配置"></a>角色配置</h3><p>编辑 <code>argocd-rbac-cm</code> 配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">apiVersion:</span> <span class="string">v1</span></span><br><span class="line"><span class="attr">kind:</span> <span class="string">ConfigMap</span></span><br><span class="line"><span class="attr">metadata:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">argocd-rbac-cm</span></span><br><span class="line"> <span class="attr">namespace:</span> <span class="string">argocd</span></span><br><span class="line"><span class="attr">data:</span></span><br><span class="line"> <span class="attr">policy.csv:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> # 项目管理员角色</span></span><br><span class="line"><span class="string"> p, role:project-admin, applications, create, project/*, allow</span></span><br><span class="line"><span class="string"> p, role:project-admin, applications, delete, project/*, allow</span></span><br><span class="line"><span class="string"> p, role:project-admin, applications, sync, project/*, allow</span></span><br><span class="line"><span class="string"> p, role:project-admin, applications, update, project/*, allow</span></span><br><span class="line"><span class="string"> p, role:project-admin, logs, get, project/*, allow</span></span><br><span class="line"><span class="string"></span> </span><br><span class="line"> <span class="comment"># 只读角色</span></span><br><span class="line"> <span class="string">p,</span> <span class="string">role:readonly,</span> <span class="string">applications,</span> <span class="string">get,</span> <span class="string">*/*,</span> <span class="string">allow</span></span><br><span class="line"> <span class="string">p,</span> <span class="string">role:readonly,</span> <span class="string">logs,</span> <span class="string">get,</span> <span class="string">*/*,</span> <span class="string">allow</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 用户组映射</span></span><br><span class="line"> <span class="string">g,</span> <span class="string">project-admins,</span> <span class="string">role:project-admin</span></span><br><span class="line"> <span class="string">g,</span> <span class="string">viewers,</span> <span class="string">role:readonly</span></span><br><span class="line"> </span><br><span class="line"> <span class="attr">policy.default:</span> <span class="string">role:readonly</span></span><br></pre></td></tr></table></figure><h3 id="用户管理"><a href="#用户管理" class="headerlink" title="用户管理"></a>用户管理</h3><p>编辑 <code>argocd-cm</code> 配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">apiVersion:</span> <span class="string">v1</span></span><br><span class="line"><span class="attr">kind:</span> <span class="string">ConfigMap</span></span><br><span class="line"><span class="attr">metadata:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">argocd-cm</span></span><br><span class="line"> <span class="attr">namespace:</span> <span class="string">argocd</span></span><br><span class="line"><span class="attr">data:</span></span><br><span class="line"> <span class="comment"># 启用本地用户</span></span><br><span class="line"> <span class="attr">accounts.project-admin:</span> <span class="string">apiKey,login</span></span><br><span class="line"> <span class="attr">accounts.viewer:</span> <span class="string">login</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># OIDC 配置(可选,根据实际环境配置)</span></span><br><span class="line"> <span class="attr">oidc.config:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> name: <SSO_PROVIDER></span></span><br><span class="line"><span class="string"> issuer: https://<SSO_URL>/auth/realms/<REALM_NAME></span></span><br><span class="line"><span class="string"> clientID: <CLIENT_ID></span></span><br><span class="line"><span class="string"> clientSecret: <CLIENT_SECRET></span></span><br></pre></td></tr></table></figure><h2 id="高级配置"><a href="#高级配置" class="headerlink" title="高级配置"></a>高级配置</h2><h3 id="资源限制"><a href="#资源限制" class="headerlink" title="资源限制"></a>资源限制</h3><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 设置资源限制</span></span><br><span class="line"><span class="attr">spec:</span></span><br><span class="line"> <span class="attr">template:</span></span><br><span class="line"> <span class="attr">spec:</span></span><br><span class="line"> <span class="attr">containers:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">argocd-application-controller</span></span><br><span class="line"> <span class="attr">resources:</span></span><br><span class="line"> <span class="attr">limits:</span></span><br><span class="line"> <span class="attr">cpu:</span> <span class="string">"1"</span></span><br><span class="line"> <span class="attr">memory:</span> <span class="string">1Gi</span></span><br><span class="line"> <span class="attr">requests:</span></span><br><span class="line"> <span class="attr">cpu:</span> <span class="string">250m</span></span><br><span class="line"> <span class="attr">memory:</span> <span class="string">512Mi</span></span><br></pre></td></tr></table></figure><h3 id="TLS-配置"><a href="#TLS-配置" class="headerlink" title="TLS 配置"></a>TLS 配置</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建 TLS 证书(使用实际的证书文件)</span></span><br><span class="line">kubectl create secret tls argocd-server-tls \</span><br><span class="line"> --cert=<CERT_FILE> \</span><br><span class="line"> --key=<KEY_FILE> \</span><br><span class="line"> -n argocd</span><br><span class="line"></span><br><span class="line"><span class="comment"># 配置 ArgoCD 使用证书</span></span><br><span class="line">kubectl patch deployment argocd-server \</span><br><span class="line"> -n argocd \</span><br><span class="line"> --<span class="built_in">type</span> json \</span><br><span class="line"> -p=<span class="string">'[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--tls.certificate=/etc/argocd/tls/tls.crt"}, {"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--tls.privatekey=/etc/argocd/tls/tls.key"}]'</span></span><br></pre></td></tr></table></figure><h2 id="故障排查"><a href="#故障排查" class="headerlink" title="故障排查"></a>故障排查</h2><h3 id="常见问题"><a href="#常见问题" class="headerlink" title="常见问题"></a>常见问题</h3><ol><li><p>登录问题</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查密码是否正确</span></span><br><span class="line">argocd admin initial-password -n argocd</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查服务状态</span></span><br><span class="line">kubectl get pods -n argocd</span><br><span class="line">kubectl logs -f deployment/argocd-server -n argocd</span><br></pre></td></tr></table></figure></li><li><p>同步失败</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查应用状态</span></span><br><span class="line">argocd app get <APP_NAME></span><br><span class="line">argocd app logs <APP_NAME></span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查控制器日志</span></span><br><span class="line">kubectl logs -f deployment/argocd-application-controller -n argocd</span><br></pre></td></tr></table></figure></li></ol><h3 id="健康检查"><a href="#健康检查" class="headerlink" title="健康检查"></a>健康检查</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查组件状态</span></span><br><span class="line">kubectl get pods -n argocd</span><br><span class="line">kubectl get svc -n argocd</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查系统健康状态</span></span><br><span class="line">argocd admin cluster info</span><br></pre></td></tr></table></figure><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ul><li>及时更新 ArgoCD 版本</li><li>使用 HTTPS 和证书</li><li>实施最小权限原则</li><li>定期轮换密钥和证书</li><li>启用审计日志</li></ul><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ul><li>合理配置资源限制</li><li>使用 Redis HA 提高可用性</li><li>配置合适的同步周期</li><li>使用项目配置限制资源范围</li></ul>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍如何在 Kubernetes 集群中部署高可用的 ArgoCD,包括客户端工具安装、服务端部署、TLS 配置、用户认证、RBAC 权限管理等完整的部署和配置流程。</p></summary>
<category term="Kubernetes" scheme="https://freemankevin.uk/categories/Kubernetes/"/>
<category term="ArgoCD" scheme="https://freemankevin.uk/tags/ArgoCD/"/>
<category term="Helm" scheme="https://freemankevin.uk/tags/Helm/"/>
<category term="RBAC" scheme="https://freemankevin.uk/tags/RBAC/"/>
<category term="TLS" scheme="https://freemankevin.uk/tags/TLS/"/>
<category term="Kubernetes" scheme="https://freemankevin.uk/tags/Kubernetes/"/>
</entry>
<entry>
<title>如何在Kubernetes 环境中部署GitLab Runner</title>
<link href="https://freemankevin.uk/2025/01/15/k8s-runner/"/>
<id>https://freemankevin.uk/2025/01/15/k8s-runner/</id>
<published>2025-01-15T09:25:25.000Z</published>
<updated>2025-01-15T09:46:44.080Z</updated>
<content type="html"><![CDATA[<p> 本文将详细介绍如何在 Kubernetes 集群中部署 GitLab Runner,包括环境准备、Runner 配置、认证设置、网络支持、Harbor 集成等完整的部署和配置流程。</p><span id="more"></span><h2 id="环境要求"><a href="#环境要求" class="headerlink" title="环境要求"></a>环境要求</h2><h3 id="基础环境"><a href="#基础环境" class="headerlink" title="基础环境"></a>基础环境</h3><ul><li>Kubernetes 集群 (版本 >= 1.16)</li><li>Helm (版本 >= 3.9)</li><li>kubectl 已配置可访问集群</li><li>GitLab 服务器已部署(版本 >= 15.11)</li></ul><h3 id="版本选择"><a href="#版本选择" class="headerlink" title="版本选择"></a>版本选择</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看可用的 Runner 版本</span></span><br><span class="line">helm repo add gitlab https://charts.gitlab.io</span><br><span class="line">helm repo update gitlab</span><br><span class="line">helm search repo -l gitlab/gitlab-runner | grep 15.11</span><br></pre></td></tr></table></figure><h2 id="Runner-安装配置"><a href="#Runner-安装配置" class="headerlink" title="Runner 安装配置"></a>Runner 安装配置</h2><h3 id="准备安装包"><a href="#准备安装包" class="headerlink" title="准备安装包"></a>准备安装包</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建工作目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p gitlab-runner && <span class="built_in">cd</span> gitlab-runner</span><br><span class="line"></span><br><span class="line"><span class="comment"># 下载 Helm Chart</span></span><br><span class="line">helm pull gitlab/gitlab-runner --version v0.52.1</span><br><span class="line">tar xf gitlab-runner-0.52.1.tgz</span><br><span class="line"><span class="built_in">cp</span> gitlab-runner/values.yaml{,.bak}</span><br></pre></td></tr></table></figure><h3 id="配置-Runner"><a href="#配置-Runner" class="headerlink" title="配置 Runner"></a>配置 Runner</h3><p>编辑 <code>gitlab-runner/values.yaml</code> 配置文件:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Runner 镜像配置</span></span><br><span class="line"><span class="attr">image:</span></span><br><span class="line"> <span class="attr">registry:</span> <span class="string">docker.io</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">gitlab/gitlab-runner</span></span><br><span class="line"> <span class="attr">tag:</span> <span class="string">alpine-v15.11.1</span></span><br><span class="line"> </span><br><span class="line"><span class="comment"># Harbor 认证配置</span></span><br><span class="line"><span class="attr">imagePullSecrets:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"harbor-credentials"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># Runner 实例数</span></span><br><span class="line"><span class="attr">replicas:</span> <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># GitLab 服务器配置</span></span><br><span class="line"><span class="attr">gitlabUrl:</span> <span class="string">http://your-gitlab-server:port/</span></span><br><span class="line"><span class="comment">#certsSecretName: runner-tls-chain # 如果使用 HTTPS 则需要配置</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 并发任务数</span></span><br><span class="line"><span class="attr">concurrent:</span> <span class="number">10</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 日志级别</span></span><br><span class="line"><span class="attr">logLevel:</span> <span class="string">info</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># RBAC 配置</span></span><br><span class="line"><span class="attr">rbac:</span></span><br><span class="line"> <span class="attr">create:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 监控配置</span></span><br><span class="line"><span class="attr">metrics:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">portName:</span> <span class="string">metrics</span></span><br><span class="line"> <span class="attr">port:</span> <span class="number">9252</span></span><br><span class="line"> <span class="attr">serviceMonitor:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">false</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># Runner 具体配置</span></span><br><span class="line"><span class="attr">runners:</span></span><br><span class="line"> <span class="attr">config:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> [[runners]]</span></span><br><span class="line"><span class="string"> [runners.kubernetes]</span></span><br><span class="line"><span class="string"> namespace = "{{.Release.Namespace}}"</span></span><br><span class="line"><span class="string"> image = "ubuntu:16.04"</span></span><br><span class="line"><span class="string"> [runners.custom_build_dir]</span></span><br><span class="line"><span class="string"> enabled = true</span></span><br><span class="line"><span class="string"> # 缓存配置 - 使用 MinIO</span></span><br><span class="line"><span class="string"> [runners.cache]</span></span><br><span class="line"><span class="string"> Type = "s3"</span></span><br><span class="line"><span class="string"> Path = "runner"</span></span><br><span class="line"><span class="string"> Shared = true</span></span><br><span class="line"><span class="string"> [runners.cache.s3]</span></span><br><span class="line"><span class="string"> ServerAddress = "your-minio-server:9000"</span></span><br><span class="line"><span class="string"> BucketName = "runner-cache"</span></span><br><span class="line"><span class="string"> AccessKey = "your-access-key"</span></span><br><span class="line"><span class="string"> SecretKey = "your-secret-key"</span></span><br><span class="line"><span class="string"> Insecure = true</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"> <span class="comment"># Runner 执行器配置</span></span><br><span class="line"> <span class="attr">executor:</span> <span class="string">kubernetes</span></span><br><span class="line"> <span class="attr">privileged:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">tags:</span> <span class="string">"kubernetes"</span></span><br><span class="line"> <span class="attr">secret:</span> <span class="string">gitlab-runner</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># 构建容器资源限制</span></span><br><span class="line"> <span class="attr">builds:</span> </span><br><span class="line"> <span class="attr">cpuLimit:</span> <span class="string">2010m</span></span><br><span class="line"> <span class="attr">cpuLimitOverwriteMaxAllowed:</span> <span class="string">2010m</span></span><br><span class="line"> <span class="attr">memoryLimit:</span> <span class="string">2060Mi</span></span><br><span class="line"> <span class="attr">memoryLimitOverwriteMaxAllowed:</span> <span class="string">2060Mi</span></span><br><span class="line"> <span class="attr">cpuRequests:</span> <span class="string">100m</span></span><br><span class="line"> <span class="attr">cpuRequestsOverwriteMaxAllowed:</span> <span class="string">100m</span></span><br><span class="line"> <span class="attr">memoryRequests:</span> <span class="string">128Mi</span></span><br><span class="line"> <span class="attr">memoryRequestsOverwriteMaxAllowed:</span> <span class="string">128Mi</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># 服务容器资源限制</span></span><br><span class="line"> <span class="attr">services:</span> </span><br><span class="line"> <span class="attr">cpuLimit:</span> <span class="string">200m</span></span><br><span class="line"> <span class="attr">memoryLimit:</span> <span class="string">256Mi</span></span><br><span class="line"> <span class="attr">cpuRequests:</span> <span class="string">100m</span></span><br><span class="line"> <span class="attr">memoryRequests:</span> <span class="string">128Mi</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Helper 容器资源限制</span></span><br><span class="line"> <span class="attr">helpers:</span></span><br><span class="line"> <span class="attr">cpuLimit:</span> <span class="string">200m</span></span><br><span class="line"> <span class="attr">memoryLimit:</span> <span class="string">256Mi</span></span><br><span class="line"> <span class="attr">cpuRequests:</span> <span class="string">100m</span></span><br><span class="line"> <span class="attr">memoryRequests:</span> <span class="string">128Mi</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">"gitlab/gitlab-runner-helper:x86_64-v15.11.1"</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Runner Pod 资源限制</span></span><br><span class="line"> <span class="attr">resources:</span> </span><br><span class="line"> <span class="attr">limits:</span></span><br><span class="line"> <span class="attr">memory:</span> <span class="string">256Mi</span></span><br><span class="line"> <span class="attr">cpu:</span> <span class="string">200m</span></span><br><span class="line"> <span class="attr">requests:</span></span><br><span class="line"> <span class="attr">memory:</span> <span class="string">128Mi</span></span><br><span class="line"> <span class="attr">cpu:</span> <span class="string">100m</span></span><br></pre></td></tr></table></figure><h2 id="认证配置"><a href="#认证配置" class="headerlink" title="认证配置"></a>认证配置</h2><h3 id="创建命名空间"><a href="#创建命名空间" class="headerlink" title="创建命名空间"></a>创建命名空间</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">kubectl create ns gitlab-runner</span><br></pre></td></tr></table></figure><h3 id="配置镜像仓库认证"><a href="#配置镜像仓库认证" class="headerlink" title="配置镜像仓库认证"></a>配置镜像仓库认证</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建 Harbor 认证密钥</span></span><br><span class="line">kubectl create secret docker-registry harbor-credentials \</span><br><span class="line"> --docker-server=your-harbor-server \</span><br><span class="line"> --docker-username=your-robot-account \</span><br><span class="line"> --docker-password=your-robot-password \</span><br><span class="line"> -n gitlab-runner</span><br></pre></td></tr></table></figure><h3 id="配置-Runner-注册令牌"><a href="#配置-Runner-注册令牌" class="headerlink" title="配置 Runner 注册令牌"></a>配置 Runner 注册令牌</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建 Runner 注册密钥</span></span><br><span class="line">kubectl create secret generic gitlab-runner \</span><br><span class="line"> --from-literal=runner-registration-token=your-registration-token \</span><br><span class="line"> --from-literal=runner-token=<span class="string">""</span> \</span><br><span class="line"> --<span class="built_in">type</span>=Opaque \</span><br><span class="line"> -n gitlab-runner</span><br></pre></td></tr></table></figure><h2 id="部署-Runner"><a href="#部署-Runner" class="headerlink" title="部署 Runner"></a>部署 Runner</h2><h3 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 部署 Runner</span></span><br><span class="line">helm install gitlab-runner ./gitlab-runner \</span><br><span class="line"> -f gitlab-runner/values.yaml \</span><br><span class="line"> --namespace gitlab-runner \</span><br><span class="line"> --create-namespace</span><br></pre></td></tr></table></figure><h3 id="更新配置"><a href="#更新配置" class="headerlink" title="更新配置"></a>更新配置</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 更新 Runner 配置</span></span><br><span class="line">helm upgrade gitlab-runner ./gitlab-runner \</span><br><span class="line"> -f gitlab-runner/values.yaml \</span><br><span class="line"> --namespace gitlab-runner</span><br></pre></td></tr></table></figure><h3 id="卸载"><a href="#卸载" class="headerlink" title="卸载"></a>卸载</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 完全卸载 Runner</span></span><br><span class="line">helm -n gitlab-runner uninstall gitlab-runner</span><br></pre></td></tr></table></figure><h2 id="网络配置"><a href="#网络配置" class="headerlink" title="网络配置"></a>网络配置</h2><h3 id="GitLab-服务器配置"><a href="#GitLab-服务器配置" class="headerlink" title="GitLab 服务器配置"></a>GitLab 服务器配置</h3><ol><li><p>修改 GitLab 主配置:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 编辑 /etc/gitlab/gitlab.rb</span></span><br><span class="line">gitlab_rails[<span class="string">'outbound_local_requests'</span>] = { <span class="string">"allow"</span> => <span class="literal">true</span> }</span><br><span class="line"></span><br><span class="line"><span class="comment"># 重启 GitLab 服务</span></span><br><span class="line">gitlab-ctl restart</span><br></pre></td></tr></table></figure></li><li><p>配置网络访问白名单:</p></li></ol><ul><li>访问路径:<code>http(s)://<gitlab-server>:<port>/admin/application_settings/network</code></li><li>启用以下选项:<ul><li><input checked="" disabled="" type="checkbox"> Allow requests to the local network from webhooks and integrations</li><li><input checked="" disabled="" type="checkbox"> Allow requests to the local network from system hooks</li></ul></li><li>添加允许访问的内网域名/IP:<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">harbor.your-domain.com</span><br><span class="line">minio.your-domain.com</span><br><span class="line">traefik.your-domain.com</span><br><span class="line">argocd.your-domain.com</span><br><span class="line">yourserver-internal-ips</span><br></pre></td></tr></table></figure></li></ul><h2 id="Harbor-集成"><a href="#Harbor-集成" class="headerlink" title="Harbor 集成"></a>Harbor 集成</h2><h3 id="GitLab-配置-Harbor"><a href="#GitLab-配置-Harbor" class="headerlink" title="GitLab 配置 Harbor"></a>GitLab 配置 Harbor</h3><ol><li>访问配置页面:<code>http(s)://<gitlab-server>:<port>/groups/your-group/-/settings/integrations</code></li><li>找到 Harbor 配置区域:<ul><li><input checked="" disabled="" type="checkbox"> Enable integration</li><li>Harbor URL: <code>https://your-harbor-server</code></li><li>Harbor project name: <code>your-project-name</code></li><li>Harbor username: <code>your-robot-account</code></li><li>Harbor password: <code>your-robot-password</code></li></ul></li></ol><h3 id="配置-Harbor-证书"><a href="#配置-Harbor-证书" class="headerlink" title="配置 Harbor 证书"></a>配置 Harbor 证书</h3><p>在所有 Worker 节点上配置 Harbor 证书:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 复制证书</span></span><br><span class="line"><span class="built_in">cp</span> /etc/tls/harbor/ca.crt /etc/ssl/certs/</span><br><span class="line"><span class="built_in">cp</span> /etc/tls/harbor/harbor.cert /etc/ssl/certs/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 更新证书存储</span></span><br><span class="line">update-ca-certificates</span><br><span class="line"></span><br><span class="line"><span class="comment"># 重启容器运行时</span></span><br><span class="line">systemctl restart containerd</span><br></pre></td></tr></table></figure><h2 id="故障排查"><a href="#故障排查" class="headerlink" title="故障排查"></a>故障排查</h2><h3 id="常见问题"><a href="#常见问题" class="headerlink" title="常见问题"></a>常见问题</h3><ol><li><p>镜像拉取失败</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查 Harbor 认证配置</span></span><br><span class="line">kubectl get secret harbor-credentials -n gitlab-runner</span><br><span class="line">kubectl describe secret harbor-credentials -n gitlab-runner</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查证书配置</span></span><br><span class="line"><span class="built_in">ls</span> -l /etc/ssl/certs/harbor*</span><br></pre></td></tr></table></figure></li><li><p>Runner 注册失败</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查 Runner 状态</span></span><br><span class="line">kubectl get pods -n gitlab-runner</span><br><span class="line">kubectl logs -f <runner-pod-name> -n gitlab-runner</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证 GitLab 连接</span></span><br><span class="line">curl -k https://your-gitlab-server/</span><br></pre></td></tr></table></figure></li></ol><h3 id="资源限制验证"><a href="#资源限制验证" class="headerlink" title="资源限制验证"></a>资源限制验证</h3><p>检查 Runner Pod 的资源限制是否生效:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">kubectl get pod <runner-pod-name> -n gitlab-runner -o yaml</span><br></pre></td></tr></table></figure><h3 id="日志查看"><a href="#日志查看" class="headerlink" title="日志查看"></a>日志查看</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看 Runner Pod 日志</span></span><br><span class="line">kubectl logs -f <runner-pod-name> -n gitlab-runner</span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看构建任务 Pod 日志</span></span><br><span class="line">kubectl logs -f <build-pod-name> -n gitlab-runner</span><br></pre></td></tr></table></figure><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="资源配置建议"><a href="#资源配置建议" class="headerlink" title="资源配置建议"></a>资源配置建议</h3><ul><li>根据项目规模和构建需求调整资源限制</li><li>为不同类型的构建任务设置不同的资源配置</li><li>合理设置缓存策略,提高构建效率</li></ul><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ul><li>使用专用的 Runner 命名空间</li><li>配置适当的 RBAC 权限</li><li>定期更新 Runner 版本</li><li>使用 HTTPS 进行安全通信</li><li>妥善保管各类密钥和证书</li></ul>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文将详细介绍如何在 Kubernetes 集群中部署 GitLab Runner,包括环境准备、Runner 配置、认证设置、网络支持、Harbor 集成等完整的部署和配置流程。</p></summary>
<category term="Kubernetes" scheme="https://freemankevin.uk/categories/Kubernetes/"/>
<category term="Helm" scheme="https://freemankevin.uk/tags/Helm/"/>
<category term="Kubernetes" scheme="https://freemankevin.uk/tags/Kubernetes/"/>
<category term="GitLab" scheme="https://freemankevin.uk/tags/GitLab/"/>
<category term="Runner" scheme="https://freemankevin.uk/tags/Runner/"/>
</entry>
<entry>
<title>如何在Kubernetes 环境中部署Traefik</title>
<link href="https://freemankevin.uk/2025/01/15/k8s-traefik/"/>
<id>https://freemankevin.uk/2025/01/15/k8s-traefik/</id>
<published>2025-01-15T09:10:25.000Z</published>
<updated>2025-01-15T09:47:04.161Z</updated>
<content type="html"><![CDATA[<p> 本文将详细介绍如何在 Kubernetes 集群中安装和配置带有 TLS 的 Traefik Ingress Controller。包括环境准备、安装配置、TLS 证书管理、认证设置以及常见问题排查等完整流程。</p><span id="more"></span><h2 id="环境要求"><a href="#环境要求" class="headerlink" title="环境要求"></a>环境要求</h2><h3 id="基础环境要求"><a href="#基础环境要求" class="headerlink" title="基础环境要求"></a>基础环境要求</h3><ul><li>Kubernetes 集群 (版本 >= 1.16)</li><li>Helm (版本 >= 3.9)</li><li>kubectl 已配置可访问集群</li></ul><h3 id="版本信息"><a href="#版本信息" class="headerlink" title="版本信息"></a>版本信息</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查 helm 版本</span></span><br><span class="line">helm version</span><br></pre></td></tr></table></figure><h2 id="安装-Traefik"><a href="#安装-Traefik" class="headerlink" title="安装 Traefik"></a>安装 Traefik</h2><h3 id="添加-Helm-仓库"><a href="#添加-Helm-仓库" class="headerlink" title="添加 Helm 仓库"></a>添加 Helm 仓库</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 添加官方 helm 仓库</span></span><br><span class="line">helm repo add traefik https://traefik.github.io/charts</span><br><span class="line">helm repo update</span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看可用版本</span></span><br><span class="line">helm search repo traefik/traefik -l</span><br></pre></td></tr></table></figure><h3 id="准备配置文件"><a href="#准备配置文件" class="headerlink" title="准备配置文件"></a>准备配置文件</h3><p>创建 <code>values.yaml</code> 配置文件:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Traefik 基础配置</span></span><br><span class="line"><span class="attr">ingressRoute:</span></span><br><span class="line"> <span class="attr">dashboard:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"><span class="attr">ingressClass:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">isDefaultClass:</span> <span class="literal">false</span></span><br><span class="line"></span><br><span class="line"><span class="attr">providers:</span></span><br><span class="line"> <span class="attr">kubernetesCRD:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">allowCrossNamespace:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">allowExternalNameServices:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"> <span class="attr">kubernetesIngress:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">allowExternalNameServices:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 日志配置</span></span><br><span class="line"><span class="attr">logs:</span></span><br><span class="line"> <span class="attr">general:</span></span><br><span class="line"> <span class="attr">level:</span> <span class="string">DEBUG</span></span><br><span class="line"> <span class="attr">access:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 服务配置</span></span><br><span class="line"><span class="attr">service:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">single:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">ClusterIP</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 额外参数</span></span><br><span class="line"><span class="attr">additionalArguments:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"--log.level=DEBUG"</span></span><br></pre></td></tr></table></figure><h3 id="部署-Traefik"><a href="#部署-Traefik" class="headerlink" title="部署 Traefik"></a>部署 Traefik</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建命名空间并安装 Traefik</span></span><br><span class="line">helm install traefik traefik/traefik \</span><br><span class="line"> --namespace=traefik-v2 \</span><br><span class="line"> --create-namespace \</span><br><span class="line"> --values=values.yaml \</span><br><span class="line"> --version 25.0.0</span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看部署状态</span></span><br><span class="line">kubectl get pods -n traefik-v2</span><br></pre></td></tr></table></figure><h2 id="配置-TLS"><a href="#配置-TLS" class="headerlink" title="配置 TLS"></a>配置 TLS</h2><h3 id="生成证书"><a href="#生成证书" class="headerlink" title="生成证书"></a>生成证书</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建证书目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p tls && <span class="built_in">cd</span> tls</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建 CA 配置文件</span></span><br><span class="line"><span class="built_in">cat</span> > openssl-ca.cnf <<<span class="string">EOF</span></span><br><span class="line"><span class="string">[req]</span></span><br><span class="line"><span class="string">distinguished_name = req_distinguished_name</span></span><br><span class="line"><span class="string">x509_extensions = v3_ca</span></span><br><span class="line"><span class="string">default_days = 3650</span></span><br><span class="line"><span class="string">default_md = sha256</span></span><br><span class="line"><span class="string">prompt = no</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">[req_distinguished_name]</span></span><br><span class="line"><span class="string">CN = My Root CA</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">[v3_ca]</span></span><br><span class="line"><span class="string">subjectKeyIdentifier=hash</span></span><br><span class="line"><span class="string">authorityKeyIdentifier=keyid:always,issuer</span></span><br><span class="line"><span class="string">basicConstraints = critical, CA:true </span></span><br><span class="line"><span class="string">EOF</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建服务器证书配置</span></span><br><span class="line"><span class="built_in">cat</span> > openssl-server.cnf <<<span class="string">EOF</span></span><br><span class="line"><span class="string">[req]</span></span><br><span class="line"><span class="string">distinguished_name = req_distinguished_name</span></span><br><span class="line"><span class="string">x509_extensions = v3_req</span></span><br><span class="line"><span class="string">prompt = no</span></span><br><span class="line"><span class="string">default_days = 3650</span></span><br><span class="line"><span class="string">default_md = sha256</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">[req_distinguished_name]</span></span><br><span class="line"><span class="string">CN = traefik.k8scluster.com</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">[v3_req]</span></span><br><span class="line"><span class="string">keyUsage = digitalSignature, keyEncipherment</span></span><br><span class="line"><span class="string">extendedKeyUsage = serverAuth</span></span><br><span class="line"><span class="string">subjectAltName = @alt_names</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">[alt_names]</span></span><br><span class="line"><span class="string">DNS.1 = traefik.k8scluster.com</span></span><br><span class="line"><span class="string">EOF</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 生成证书</span></span><br><span class="line">openssl genrsa -out rootCA.key 2048</span><br><span class="line">openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -config openssl-ca.cnf</span><br><span class="line">openssl genrsa -out server.key 2048</span><br><span class="line">openssl req -new -key server.key -out server.csr -config openssl-server.cnf</span><br><span class="line">openssl x509 -req -<span class="keyword">in</span> server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 3650 -sha256 -extensions v3_req -extfile openssl-server.cnf</span><br></pre></td></tr></table></figure><h3 id="创建-TLS-Secret"><a href="#创建-TLS-Secret" class="headerlink" title="创建 TLS Secret"></a>创建 TLS Secret</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">kubectl create secret tls traefik-ingress-dashboard \</span><br><span class="line"> --namespace traefik-v2 \</span><br><span class="line"> --key ./server.key \</span><br><span class="line"> --cert ./server.crt</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证证书</span></span><br><span class="line">kubectl -n traefik-v2 get secret traefik-ingress-dashboard -o jsonpath=<span class="string">"{.data.tls\.crt}"</span> | <span class="built_in">base64</span> --decode | openssl x509 -inform pem -text -noout</span><br></pre></td></tr></table></figure><h2 id="配置认证"><a href="#配置认证" class="headerlink" title="配置认证"></a>配置认证</h2><h3 id="创建-Basic-Auth"><a href="#创建-Basic-Auth" class="headerlink" title="创建 Basic Auth"></a>创建 Basic Auth</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 安装 htpasswd 工具</span></span><br><span class="line">apt-get update && apt-get install apache2-utils -y</span><br><span class="line"></span><br><span class="line"><span class="comment"># 生成密码</span></span><br><span class="line">htpasswd -nb admin <your-password> | kubectl create secret generic basic-auth \</span><br><span class="line"> --namespace=traefik-v2 \</span><br><span class="line"> --from-file=auth=/dev/stdin</span><br></pre></td></tr></table></figure><h3 id="创建-IngressRoute"><a href="#创建-IngressRoute" class="headerlink" title="创建 IngressRoute"></a>创建 IngressRoute</h3><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># traefik-websecure-dashboard.yaml</span></span><br><span class="line"><span class="attr">apiVersion:</span> <span class="string">traefik.containo.us/v1alpha1</span></span><br><span class="line"><span class="attr">kind:</span> <span class="string">IngressRoute</span></span><br><span class="line"><span class="attr">metadata:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">websecure-dashboard</span></span><br><span class="line"> <span class="attr">namespace:</span> <span class="string">traefik-v2</span></span><br><span class="line"><span class="attr">spec:</span></span><br><span class="line"> <span class="attr">entryPoints:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">websecure</span></span><br><span class="line"> <span class="attr">routes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">match:</span> <span class="string">Host(`traefik.k8scluster.com`)</span> <span class="string">&&</span> <span class="string">(PathPrefix(`/dashboard`)</span> <span class="string">||</span> <span class="string">PathPrefix(`/api`))</span></span><br><span class="line"> <span class="attr">kind:</span> <span class="string">Rule</span></span><br><span class="line"> <span class="attr">services:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">api@internal</span></span><br><span class="line"> <span class="attr">kind:</span> <span class="string">TraefikService</span></span><br><span class="line"> <span class="attr">middlewares:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">basic-auth</span></span><br><span class="line"> <span class="attr">namespace:</span> <span class="string">traefik-v2</span></span><br><span class="line"> <span class="attr">tls:</span></span><br><span class="line"> <span class="attr">secretName:</span> <span class="string">traefik-ingress-dashboard</span></span><br></pre></td></tr></table></figure><h3 id="创建认证中间件"><a href="#创建认证中间件" class="headerlink" title="创建认证中间件"></a>创建认证中间件</h3><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># traefik-middleware.yaml</span></span><br><span class="line"><span class="attr">apiVersion:</span> <span class="string">traefik.containo.us/v1alpha1</span></span><br><span class="line"><span class="attr">kind:</span> <span class="string">Middleware</span></span><br><span class="line"><span class="attr">metadata:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">basic-auth</span></span><br><span class="line"> <span class="attr">namespace:</span> <span class="string">traefik-v2</span></span><br><span class="line"><span class="attr">spec:</span></span><br><span class="line"> <span class="attr">basicAuth:</span></span><br><span class="line"> <span class="attr">secret:</span> <span class="string">basic-auth</span></span><br></pre></td></tr></table></figure><h2 id="暴露服务"><a href="#暴露服务" class="headerlink" title="暴露服务"></a>暴露服务</h2><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 配置 NodePort 服务</span></span><br><span class="line">kubectl patch svc traefik -n traefik-v2 -p <span class="string">'{</span></span><br><span class="line"><span class="string"> "spec": {</span></span><br><span class="line"><span class="string"> "type": "NodePort",</span></span><br><span class="line"><span class="string"> "ports": [</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> "name": "web",</span></span><br><span class="line"><span class="string"> "port": 80,</span></span><br><span class="line"><span class="string"> "targetPort": "web",</span></span><br><span class="line"><span class="string"> "nodePort": 30882</span></span><br><span class="line"><span class="string"> },</span></span><br><span class="line"><span class="string"> {</span></span><br><span class="line"><span class="string"> "name": "websecure",</span></span><br><span class="line"><span class="string"> "port": 443,</span></span><br><span class="line"><span class="string"> "targetPort": "websecure",</span></span><br><span class="line"><span class="string"> "nodePort": 30883</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> ]</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string">}'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证服务状态</span></span><br><span class="line">kubectl get svc -n traefik-v2</span><br></pre></td></tr></table></figure><h2 id="访问控制台"><a href="#访问控制台" class="headerlink" title="访问控制台"></a>访问控制台</h2><ol><li><p>添加域名解析(本地测试可修改 hosts 文件):</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">echo</span> <span class="string">"<span class="variable">${NODE_IP}</span> traefik.k8scluster.com"</span> >> /etc/hosts</span><br></pre></td></tr></table></figure></li><li><p>访问地址:</p></li></ol><ul><li>Dashboard: <a href="https://traefik.k8scluster.com:30883/dashboard/">https://traefik.k8scluster.com:30883/dashboard/</a></li><li>使用之前设置的用户名密码登录</li></ul><h2 id="常见问题排查"><a href="#常见问题排查" class="headerlink" title="常见问题排查"></a>常见问题排查</h2><h3 id="证书问题"><a href="#证书问题" class="headerlink" title="证书问题"></a>证书问题</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查证书是否正确创建</span></span><br><span class="line">kubectl get secret -n traefik-v2</span><br><span class="line">kubectl describe secret traefik-ingress-dashboard -n traefik-v2</span><br></pre></td></tr></table></figure><h3 id="访问问题"><a href="#访问问题" class="headerlink" title="访问问题"></a>访问问题</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查 Pod 状态</span></span><br><span class="line">kubectl get pods -n traefik-v2</span><br><span class="line">kubectl describe pod -n traefik-v2 <pod-name></span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查日志</span></span><br><span class="line">kubectl logs -n traefik-v2 <pod-name></span><br></pre></td></tr></table></figure><h3 id="配置更新"><a href="#配置更新" class="headerlink" title="配置更新"></a>配置更新</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 更新 Traefik 配置</span></span><br><span class="line">helm upgrade traefik traefik/traefik \</span><br><span class="line"> --namespace=traefik-v2 \</span><br><span class="line"> --values=values.yaml</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文将详细介绍如何在 Kubernetes 集群中安装和配置带有 TLS 的 Traefik Ingress Controller。包括环境准备、安装配置、TLS 证书管理、认证设置以及常见问题排查等完整流程。</p></summary>
<category term="Kubernetes" scheme="https://freemankevin.uk/categories/Kubernetes/"/>
<category term="TLS" scheme="https://freemankevin.uk/tags/TLS/"/>
<category term="Kubernetes" scheme="https://freemankevin.uk/tags/Kubernetes/"/>
<category term="NGINX" scheme="https://freemankevin.uk/tags/NGINX/"/>
<category term="Traefik" scheme="https://freemankevin.uk/tags/Traefik/"/>
</entry>
<entry>
<title>MinIO TLS部署指南</title>
<link href="https://freemankevin.uk/2025/01/15/tls-minio/"/>
<id>https://freemankevin.uk/2025/01/15/tls-minio/</id>
<published>2025-01-15T08:49:25.000Z</published>
<updated>2025-01-15T08:50:36.997Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了MinIO对象存储服务的TLS安全部署方案,包括服务安装、TLS证书配置、Nginx反向代理等核心内容。通过在线安装和配置,实现了MinIO服务的HTTPS安全访问,适合需要部署安全对象存储服务的运维人员参考。</p><span id="more"></span><h2 id="安装-MinIO-服务"><a href="#安装-MinIO-服务" class="headerlink" title="安装 MinIO 服务"></a>安装 MinIO 服务</h2><h3 id="安装MinIO服务端"><a href="#安装MinIO服务端" class="headerlink" title="安装MinIO服务端"></a>安装MinIO服务端</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">添加MinIO仓库</span></span><br><span class="line">curl -O https://dl.min.io/repos/minio-repo.sh</span><br><span class="line">sh minio-repo.sh</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">安装MinIO</span></span><br><span class="line">apt update && apt install minio -y</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">验证安装</span></span><br><span class="line">minio --version</span><br></pre></td></tr></table></figure><h3 id="安装MinIO客户端-可选"><a href="#安装MinIO客户端-可选" class="headerlink" title="安装MinIO客户端(可选)"></a>安装MinIO客户端(可选)</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">下载MinIO客户端</span></span><br><span class="line">curl https://dl.min.io/client/mc/release/linux-amd64/mc -o /usr/local/bin/mc</span><br><span class="line">chmod +x /usr/local/bin/mc</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">验证安装</span></span><br><span class="line">mc --version</span><br></pre></td></tr></table></figure><h2 id="配置TLS证书"><a href="#配置TLS证书" class="headerlink" title="配置TLS证书"></a>配置TLS证书</h2><h3 id="创建证书目录"><a href="#创建证书目录" class="headerlink" title="创建证书目录"></a>创建证书目录</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">mkdir -p /etc/minio/ssl/certs && cd /etc/minio/ssl/certs</span><br></pre></td></tr></table></figure><h3 id="生成CA配置"><a href="#生成CA配置" class="headerlink" title="生成CA配置"></a>生成CA配置</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">cat > openssl-ca.cnf <<EOF</span><br><span class="line">[req]</span><br><span class="line">distinguished_name = req_distinguished_name</span><br><span class="line">x509_extensions = v3_ca</span><br><span class="line">default_days = 3650</span><br><span class="line">default_md = sha256</span><br><span class="line">prompt = no</span><br><span class="line"></span><br><span class="line">[req_distinguished_name]</span><br><span class="line">CN = My Root CA</span><br><span class="line"></span><br><span class="line">[v3_ca]</span><br><span class="line">subjectKeyIdentifier=hash</span><br><span class="line">authorityKeyIdentifier=keyid:always,issuer</span><br><span class="line">basicConstraints = critical, CA:true</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure><h3 id="生成服务器证书配置"><a href="#生成服务器证书配置" class="headerlink" title="生成服务器证书配置"></a>生成服务器证书配置</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">cat > openssl-server.cnf <<EOF</span><br><span class="line">[req]</span><br><span class="line">distinguished_name = req_distinguished_name</span><br><span class="line">x509_extensions = v3_req</span><br><span class="line">prompt = no</span><br><span class="line">default_days = 3650</span><br><span class="line">default_md = sha256</span><br><span class="line"></span><br><span class="line">[req_distinguished_name]</span><br><span class="line">CN = minio.objectstorage.com</span><br><span class="line"></span><br><span class="line">[v3_req]</span><br><span class="line">keyUsage = digitalSignature, keyEncipherment</span><br><span class="line">extendedKeyUsage = serverAuth</span><br><span class="line">subjectAltName = @alt_names</span><br><span class="line"></span><br><span class="line">[alt_names]</span><br><span class="line">DNS.1 = minio.objectstorage.com</span><br><span class="line">IP.1 = YOUR_SERVER_IP</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure><h3 id="生成证书"><a href="#生成证书" class="headerlink" title="生成证书"></a>生成证书</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">生成CA证书</span></span><br><span class="line">openssl genrsa -out rootCA.key 2048</span><br><span class="line">openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -config openssl-ca.cnf</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">生成服务器证书</span></span><br><span class="line">openssl genrsa -out server.key 2048</span><br><span class="line">openssl req -new -key server.key -out server.csr -config openssl-server.cnf</span><br><span class="line">openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \</span><br><span class="line"> -out server.crt -days 3650 -sha256 -extensions v3_req -extfile openssl-server.cnf</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">重命名为MinIO所需的文件名</span></span><br><span class="line">mv server.key private.key</span><br><span class="line">mv server.crt public.crt</span><br></pre></td></tr></table></figure><h2 id="配置MinIO服务"><a href="#配置MinIO服务" class="headerlink" title="配置MinIO服务"></a>配置MinIO服务</h2><h3 id="创建数据目录"><a href="#创建数据目录" class="headerlink" title="创建数据目录"></a>创建数据目录</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">mkdir -p /data/minio</span><br></pre></td></tr></table></figure><h3 id="配置MinIO环境"><a href="#配置MinIO环境" class="headerlink" title="配置MinIO环境"></a>配置MinIO环境</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">cat > /etc/default/minio <<EOF</span><br><span class="line">MINIO_ROOT_USER=admin</span><br><span class="line">MINIO_ROOT_PASSWORD=admin@123</span><br><span class="line">MINIO_VOLUMES="/data/minio"</span><br><span class="line">MINIO_SERVER_URL="https://minio.objectstorage.com:9000"</span><br><span class="line">MINIO_OPTS="--address :9000 --certs-dir /etc/minio/ssl/certs --console-address :9001"</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure><h3 id="设置权限"><a href="#设置权限" class="headerlink" title="设置权限"></a>设置权限</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">useradd -r minio-user -s /sbin/nologin</span><br><span class="line">chown -R minio-user:minio-user /data/minio</span><br><span class="line">chown -R minio-user:minio-user /etc/minio</span><br></pre></td></tr></table></figure><h2 id="配置Nginx代理"><a href="#配置Nginx代理" class="headerlink" title="配置Nginx代理"></a>配置Nginx代理</h2><h3 id="安装Nginx"><a href="#安装Nginx" class="headerlink" title="安装Nginx"></a>安装Nginx</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">apt update && apt install nginx -y</span><br></pre></td></tr></table></figure><h3 id="配置Nginx代理-1"><a href="#配置Nginx代理-1" class="headerlink" title="配置Nginx代理"></a>配置Nginx代理</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">cat > /etc/nginx/conf.d/minio.conf <<EOF</span><br><span class="line">upstream minio_s3 {</span><br><span class="line"> server localhost:9000;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">upstream minio_console {</span><br><span class="line"> server localhost:9001;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">server {</span><br><span class="line"> listen 443 ssl;</span><br><span class="line"> server_name minio.objectstorage.com;</span><br><span class="line"></span><br><span class="line"> ssl_certificate /etc/nginx/ssl/minio/public.crt;</span><br><span class="line"> ssl_certificate_key /etc/nginx/ssl/minio/private.key;</span><br><span class="line"></span><br><span class="line"> # 代理MinIO API</span><br><span class="line"> location / {</span><br><span class="line"> proxy_set_header Host \$http_host;</span><br><span class="line"> proxy_set_header X-Real-IP \$remote_addr;</span><br><span class="line"> proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;</span><br><span class="line"> proxy_set_header X-Forwarded-Proto \$scheme;</span><br><span class="line"></span><br><span class="line"> proxy_connect_timeout 300;</span><br><span class="line"> proxy_http_version 1.1;</span><br><span class="line"> proxy_set_header Connection "";</span><br><span class="line"> chunked_transfer_encoding off;</span><br><span class="line"></span><br><span class="line"> proxy_pass http://minio_s3;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">server {</span><br><span class="line"> listen 9443 ssl;</span><br><span class="line"> server_name minio.objectstorage.com;</span><br><span class="line"></span><br><span class="line"> ssl_certificate /etc/nginx/ssl/minio/public.crt;</span><br><span class="line"> ssl_certificate_key /etc/nginx/ssl/minio/private.key;</span><br><span class="line"></span><br><span class="line"> # 代理MinIO Console</span><br><span class="line"> location / {</span><br><span class="line"> proxy_set_header Host \$http_host;</span><br><span class="line"> proxy_set_header X-Real-IP \$remote_addr;</span><br><span class="line"> proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;</span><br><span class="line"> proxy_set_header X-Forwarded-Proto \$scheme;</span><br><span class="line"></span><br><span class="line"> proxy_connect_timeout 300;</span><br><span class="line"> proxy_http_version 1.1;</span><br><span class="line"> proxy_set_header Upgrade \$http_upgrade;</span><br><span class="line"> proxy_set_header Connection "upgrade";</span><br><span class="line"></span><br><span class="line"> proxy_pass http://minio_console;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">EOF</span><br></pre></td></tr></table></figure><h2 id="启动服务"><a href="#启动服务" class="headerlink" title="启动服务"></a>启动服务</h2><h3 id="启动MinIO"><a href="#启动MinIO" class="headerlink" title="启动MinIO"></a>启动MinIO</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">systemctl start minio</span><br><span class="line">systemctl enable minio</span><br></pre></td></tr></table></figure><h3 id="启动Nginx"><a href="#启动Nginx" class="headerlink" title="启动Nginx"></a>启动Nginx</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">systemctl start nginx</span><br><span class="line">systemctl enable nginx</span><br></pre></td></tr></table></figure><h2 id="验证部署"><a href="#验证部署" class="headerlink" title="验证部署"></a>验证部署</h2><h3 id="检查服务状态"><a href="#检查服务状态" class="headerlink" title="检查服务状态"></a>检查服务状态</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">systemctl status minio</span><br><span class="line">systemctl status nginx</span><br></pre></td></tr></table></figure><h3 id="验证访问"><a href="#验证访问" class="headerlink" title="验证访问"></a>验证访问</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">测试API端点</span></span><br><span class="line">curl -k https://minio.objectstorage.com/minio/health</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">访问控制台</span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">在浏览器中访问 https://minio.objectstorage.com:9443</span></span><br></pre></td></tr></table></figure><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li><p>访问控制:</p><ul><li>修改默认的管理员密码,使用强密码策略</li><li>使用策略管理访问权限,遵循最小权限原则</li><li>定期审计访问日志,监控异常访问</li><li>配置IP白名单,限制管理控制台访问范围</li></ul></li><li><p>证书管理:</p><ul><li>使用合适的证书有效期(建议1-2年)</li><li>设置证书到期提醒机制</li><li>保管好证书私钥,避免泄露</li><li>定期更新证书,确保TLS安全</li></ul></li><li><p>网络安全:</p><ul><li>配置防火墙规则,只开放必要端口</li><li>使用安全的TLS版本(TLS 1.2+)</li><li>禁用不安全的加密套件</li><li>配置适当的请求速率限制</li></ul></li></ol><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>系统配置:</p><ul><li>调整系统文件描述符限制<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">/etc/security/limits.conf</span></span><br><span class="line">minio-user soft nofile 65536</span><br><span class="line">minio-user hard nofile 65536</span><br></pre></td></tr></table></figure></li></ul></li><li><p>存储优化:</p><ul><li>使用XFS文件系统获得更好性能</li><li>配置合适的磁盘预读值</li><li>启用磁盘缓存</li><li>定期进行碎片整理</li></ul></li><li><p>网络优化:</p><ul><li>调整TCP参数优化网络性能</li><li>配置合适的Nginx worker进程数</li><li>启用Nginx压缩减少传输量</li><li>配置客户端缓存策略</li></ul></li></ol><h3 id="维护建议"><a href="#维护建议" class="headerlink" title="维护建议"></a>维护建议</h3><ol><li><p>数据备份:</p><ul><li>制定定期备份计划</li><li>验证备份数据的完整性</li><li>存储多个备份副本</li><li>测试数据恢复流程</li></ul></li><li><p>监控告警:</p><ul><li>监控服务状态和资源使用</li><li>设置磁盘空间告警阈值</li><li>监控证书有效期</li><li>配置服务可用性监控</li></ul></li><li><p>版本管理:</p><ul><li>关注安全更新和补丁</li><li>在测试环境验证新版本</li><li>制定回滚计划</li><li>记录版本变更日志</li></ul></li></ol><h3 id="故障排查"><a href="#故障排查" class="headerlink" title="故障排查"></a>故障排查</h3><ol><li><p>常见问题:</p><ul><li>证书配置错误:检查证书路径和权限</li><li>端口冲突:确认端口占用情况</li><li>权限问题:检查目录和文件权限</li><li>网络连接:验证防火墙和网络配置</li></ul></li><li><p>日志分析:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">MinIO日志</span></span><br><span class="line">tail -f /var/log/minio/minio.log</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">Nginx访问日志</span></span><br><span class="line">tail -f /var/log/nginx/access.log</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">Nginx错误日志</span></span><br><span class="line">tail -f /var/log/nginx/error.log</span><br></pre></td></tr></table></figure></li><li><p>服务恢复:</p><ul><li>保存问题现场,收集相关日志</li><li>按照标准流程进行故障处理</li><li>记录解决方案,更新文档</li><li>总结经验教训,优化流程</li></ul></li></ol>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了MinIO对象存储服务的TLS安全部署方案,包括服务安装、TLS证书配置、Nginx反向代理等核心内容。通过在线安装和配置,实现了MinIO服务的HTTPS安全访问,适合需要部署安全对象存储服务的运维人员参考。</p></summary>
<category term="MinIO" scheme="https://freemankevin.uk/categories/MinIO/"/>
<category term="MinIO" scheme="https://freemankevin.uk/tags/MinIO/"/>
<category term="TLS" scheme="https://freemankevin.uk/tags/TLS/"/>
<category term="NGINX" scheme="https://freemankevin.uk/tags/NGINX/"/>
</entry>
<entry>
<title>PostgreSQL 数据库备份与恢复指南</title>
<link href="https://freemankevin.uk/2025/01/15/backup-pg/"/>
<id>https://freemankevin.uk/2025/01/15/backup-pg/</id>
<published>2025-01-15T08:09:25.000Z</published>
<updated>2025-01-15T08:13:30.331Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了PostgreSQL数据库的两种主要备份方案:基于归档日志的PITR和基于pg_basebackup的物理备份。文档涵盖了系统配置、性能优化、监控告警、灾难恢复等完整解决方案,并提供了详细的脚本示例和最佳实践建议,帮助数据库管理员实现可靠的数据备份与恢复策略。</p><span id="more"></span><h2 id="备份策略选择"><a href="#备份策略选择" class="headerlink" title="备份策略选择"></a>备份策略选择</h2><ol><li><p>PITR适用场景:</p><ul><li>需要精确时间点恢复</li><li>对数据一致性要求高</li><li>有充足的存储空间</li><li>可以承受一定的性能开销</li></ul></li><li><p>物理备份适用场景:</p><ul><li>需要完整的数据库副本</li><li>对备份和恢复速度要求高</li><li>存储空间有限</li><li>主要用于灾难恢复</li></ul></li></ol><h2 id="方案一:归档日志备份-PITR"><a href="#方案一:归档日志备份-PITR" class="headerlink" title="方案一:归档日志备份(PITR)"></a>方案一:归档日志备份(PITR)</h2><h3 id="系统要求"><a href="#系统要求" class="headerlink" title="系统要求"></a>系统要求</h3><ol><li><p>存储空间:</p><ul><li>WAL日志空间 = 每日WAL生成量 × 保留天数</li><li>归档空间 = WAL日志空间 × 1.2(压缩比)</li><li>基础备份空间 = 数据库大小 × 2</li></ul></li><li><p>性能影响:</p><ul><li>CPU: 额外5-10%负载(归档压缩)</li><li>I/O: 额外10-20%写入量</li><li>网络: 归档传输带宽</li></ul></li></ol><h3 id="详细配置"><a href="#详细配置" class="headerlink" title="详细配置"></a>详细配置</h3><ol><li>postgresql.conf核心参数:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># WAL配置</span></span><br><span class="line">wal_level = replica <span class="comment"># 启用必要的WAL信息</span></span><br><span class="line">archive_mode = on <span class="comment"># 开启归档</span></span><br><span class="line">archive_command = <span class="string">'test ! -f /archive/%f && cp %p /archive/%f'</span> <span class="comment"># 归档命令</span></span><br><span class="line">archive_timeout = 60 <span class="comment"># 最大归档间隔(秒)</span></span><br><span class="line">wal_keep_segments = 32 <span class="comment"># 保留的WAL数量</span></span><br><span class="line">max_wal_size = 1GB <span class="comment"># WAL最大大小</span></span><br><span class="line">min_wal_size = 80MB <span class="comment"># WAL最小大小</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查点配置</span></span><br><span class="line">checkpoint_timeout = 5min <span class="comment"># 检查点间隔</span></span><br><span class="line">checkpoint_completion_target = 0.9 <span class="comment"># 检查点完成目标</span></span><br><span class="line">checkpoint_warning = 30s <span class="comment"># 检查点警告阈值</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 归档参数</span></span><br><span class="line">archive_timeout = 60 <span class="comment"># 强制切换WAL的时间</span></span><br><span class="line">archive_library = <span class="string">''</span> <span class="comment"># 自定义归档模块</span></span><br></pre></td></tr></table></figure><ol start="2"><li>高级归档命令示例:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 带压缩的归档</span></span><br><span class="line">archive_command = <span class="string">'gzip < %p > /archive/%f.gz'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 带验证的归档</span></span><br><span class="line">archive_command = <span class="string">'cp %p /archive/%f && sha256sum /archive/%f > /archive/%f.sha256'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 远程归档</span></span><br><span class="line">archive_command = <span class="string">'rsync -a %p backup_server:/archive/%f'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 多目标归档</span></span><br><span class="line">archive_command = <span class="string">'cp %p /archive1/%f && cp %p /archive2/%f'</span></span><br></pre></td></tr></table></figure><h3 id="监控和维护"><a href="#监控和维护" class="headerlink" title="监控和维护"></a>监控和维护</h3><ol><li>归档状态监控:</li></ol><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line"><span class="comment">-- 归档统计信息</span></span><br><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> pg_stat_archiver;</span><br><span class="line"></span><br><span class="line"><span class="comment">-- WAL生成速率</span></span><br><span class="line"><span class="keyword">SELECT</span> </span><br><span class="line"> <span class="built_in">current_timestamp</span>,</span><br><span class="line"> pg_walfile_name(pg_current_wal_lsn()),</span><br><span class="line"> pg_size_pretty(pg_wal_lsn_diff(pg_current_wal_lsn(), <span class="string">'0/0'</span>::pg_lsn)) <span class="keyword">as</span> total_wal_size;</span><br><span class="line"></span><br><span class="line"><span class="comment">-- 归档延迟监控</span></span><br><span class="line"><span class="keyword">SELECT</span> </span><br><span class="line"> archived_count,</span><br><span class="line"> failed_count,</span><br><span class="line"> stats_reset,</span><br><span class="line"> <span class="keyword">CASE</span> <span class="keyword">WHEN</span> last_failed_wal <span class="keyword">IS</span> <span class="keyword">NOT NULL</span> </span><br><span class="line"> <span class="keyword">THEN</span> <span class="string">'Warning: Archive failed for '</span> <span class="operator">||</span> last_failed_wal </span><br><span class="line"> <span class="keyword">ELSE</span> <span class="string">'OK'</span> </span><br><span class="line"> <span class="keyword">END</span> <span class="keyword">as</span> archive_status</span><br><span class="line"><span class="keyword">FROM</span> pg_stat_archiver;</span><br></pre></td></tr></table></figure><ol start="2"><li>空间监控脚本:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line"></span><br><span class="line">ARCHIVE_DIR=<span class="string">"/archive"</span></span><br><span class="line">THRESHOLD=80 <span class="comment"># 空间使用率警告阈值</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查归档目录空间</span></span><br><span class="line">usage=$(<span class="built_in">df</span> -h <span class="variable">${ARCHIVE_DIR}</span> | awk <span class="string">'NR==2 {print $5}'</span> | sed <span class="string">'s/%//'</span>)</span><br><span class="line"><span class="keyword">if</span> [ <span class="variable">$usage</span> -gt <span class="variable">$THRESHOLD</span> ]; <span class="keyword">then</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"Warning: Archive directory usage is <span class="variable">${usage}</span>%"</span></span><br><span class="line"> <span class="comment"># 可以添加告警通知</span></span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查最老的归档文件</span></span><br><span class="line">oldest_archive=$(find <span class="variable">${ARCHIVE_DIR}</span> -<span class="built_in">type</span> f -name <span class="string">"*.gz"</span> -<span class="built_in">printf</span> <span class="string">'%T+ %p\n'</span> | <span class="built_in">sort</span> | <span class="built_in">head</span> -n 1)</span><br><span class="line"><span class="built_in">echo</span> <span class="string">"Oldest archive file: <span class="variable">${oldest_archive}</span>"</span></span><br></pre></td></tr></table></figure><h2 id="方案二:物理备份"><a href="#方案二:物理备份" class="headerlink" title="方案二:物理备份"></a>方案二:物理备份</h2><h3 id="高级配置"><a href="#高级配置" class="headerlink" title="高级配置"></a>高级配置</h3><ol><li>备份压缩选项:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># GZIP压缩(默认)</span></span><br><span class="line">pg_basebackup -Z 9 -D /backup/base</span><br><span class="line"></span><br><span class="line"><span class="comment"># ZSTD压缩(推荐)</span></span><br><span class="line">pg_basebackup -Z zstd -D /backup/base</span><br><span class="line"></span><br><span class="line"><span class="comment"># 并行压缩</span></span><br><span class="line">pg_basebackup -j 4 -Z zstd -D /backup/base</span><br></pre></td></tr></table></figure><ol start="2"><li>增强的备份脚本:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 配置</span></span><br><span class="line">BACKUP_DIR=<span class="string">"/backup/pg"</span></span><br><span class="line">RETENTION_DAYS=90</span><br><span class="line">DATE=$(<span class="built_in">date</span> +%Y%m%d_%H%M%S)</span><br><span class="line">LOG_DIR=<span class="string">"/var/log/pg_backup"</span></span><br><span class="line">ALERT_EMAIL=<span class="string">"[email protected]"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 初始化</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="string">"<span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>"</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="string">"<span class="variable">$LOG_DIR</span>"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份前检查</span></span><br><span class="line"><span class="function"><span class="title">check_prerequisites</span></span>() {</span><br><span class="line"> <span class="comment"># 检查空间</span></span><br><span class="line"> <span class="built_in">local</span> required_space=$(<span class="built_in">du</span> -s <span class="variable">$PGDATA</span> | awk <span class="string">'{print $1}'</span>)</span><br><span class="line"> <span class="built_in">local</span> available_space=$(<span class="built_in">df</span> <span class="variable">$BACKUP_DIR</span> | awk <span class="string">'NR==2 {print $4}'</span>)</span><br><span class="line"> <span class="keyword">if</span> [ <span class="variable">$available_space</span> -lt <span class="variable">$required_space</span> ]; <span class="keyword">then</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"Error: Insufficient space"</span> | mail -s <span class="string">"Backup Failed"</span> <span class="variable">$ALERT_EMAIL</span></span><br><span class="line"> <span class="built_in">exit</span> 1</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 检查连接性</span></span><br><span class="line"> <span class="keyword">if</span> ! psql -c <span class="string">"SELECT 1"</span> > /dev/null 2>&1; <span class="keyword">then</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"Error: Cannot connect to database"</span> | mail -s <span class="string">"Backup Failed"</span> <span class="variable">$ALERT_EMAIL</span></span><br><span class="line"> <span class="built_in">exit</span> 1</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment"># 执行备份</span></span><br><span class="line"><span class="function"><span class="title">perform_backup</span></span>() {</span><br><span class="line"> pg_basebackup \</span><br><span class="line"> -D <span class="string">"<span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>"</span> \</span><br><span class="line"> -Ft -j 4 \</span><br><span class="line"> -Z zstd \</span><br><span class="line"> -P \</span><br><span class="line"> -X stream \</span><br><span class="line"> -U backup_user \</span><br><span class="line"> --checkpoint=fast \</span><br><span class="line"> --wal-method=stream \</span><br><span class="line"> --progress \</span><br><span class="line"> --verbose</span><br><span class="line"></span><br><span class="line"> <span class="comment"># 验证备份</span></span><br><span class="line"> <span class="keyword">if</span> [ $? -eq 0 ]; <span class="keyword">then</span></span><br><span class="line"> <span class="comment"># 创建校验和</span></span><br><span class="line"> <span class="built_in">cd</span> <span class="string">"<span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>"</span></span><br><span class="line"> <span class="built_in">sha256sum</span> * > SHA256SUMS</span><br><span class="line"> <span class="comment"># 记录备份元数据</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"Backup completed at <span class="subst">$(date)</span>"</span> > backup_info.txt</span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"PostgreSQL Version: <span class="subst">$(psql -V)</span>"</span> >> backup_info.txt</span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"Backup Size: <span class="subst">$(du -sh .)</span>"</span> >> backup_info.txt</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"Backup failed"</span> | mail -s <span class="string">"Backup Failed"</span> <span class="variable">$ALERT_EMAIL</span></span><br><span class="line"> <span class="built_in">exit</span> 1</span><br><span class="line"> <span class="keyword">fi</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理</span></span><br><span class="line"><span class="function"><span class="title">cleanup_old_backups</span></span>() {</span><br><span class="line"> find <span class="variable">$BACKUP_DIR</span> -maxdepth 1 -mtime +<span class="variable">$RETENTION_DAYS</span> -<span class="built_in">exec</span> <span class="built_in">rm</span> -rf {} \;</span><br><span class="line"> <span class="comment"># 保留最新的5个备份,即使超过保留天数</span></span><br><span class="line"> <span class="built_in">ls</span> -t <span class="variable">$BACKUP_DIR</span> | <span class="built_in">tail</span> -n +6 | xargs -I {} <span class="built_in">rm</span> -rf <span class="string">"<span class="variable">$BACKUP_DIR</span>/{}"</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment"># 主流程</span></span><br><span class="line">check_prerequisites</span><br><span class="line">perform_backup</span><br><span class="line">cleanup_old_backups</span><br></pre></td></tr></table></figure><h3 id="恢复验证"><a href="#恢复验证" class="headerlink" title="恢复验证"></a>恢复验证</h3><ol><li>自动恢复验证脚本:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 配置测试环境</span></span><br><span class="line">TEST_DIR=<span class="string">"/tmp/pg_restore_test"</span></span><br><span class="line">BACKUP_DIR=<span class="string">"/backup/pg"</span></span><br><span class="line">LATEST_BACKUP=$(<span class="built_in">ls</span> -t <span class="variable">$BACKUP_DIR</span> | <span class="built_in">head</span> -n1)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 准备测试环境</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="variable">$TEST_DIR</span></span><br><span class="line"><span class="built_in">cd</span> <span class="variable">$TEST_DIR</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 解压最新备份</span></span><br><span class="line">tar xf <span class="variable">$BACKUP_DIR</span>/<span class="variable">$LATEST_BACKUP</span>/base.tar.zst</span><br><span class="line">tar xf <span class="variable">$BACKUP_DIR</span>/<span class="variable">$LATEST_BACKUP</span>/pg_wal.tar.zst</span><br><span class="line"></span><br><span class="line"><span class="comment"># 配置测试实例</span></span><br><span class="line">initdb -D <span class="variable">$TEST_DIR</span>/data</span><br><span class="line"><span class="built_in">cp</span> postgresql.conf postgresql.conf.orig</span><br><span class="line">sed -i <span class="string">'s/port = 5432/port = 5433/'</span> postgresql.conf</span><br><span class="line"></span><br><span class="line"><span class="comment"># 启动测试实例</span></span><br><span class="line">pg_ctl -D <span class="variable">$TEST_DIR</span>/data -l logfile start</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证数据</span></span><br><span class="line">psql -p 5433 -c <span class="string">"SELECT count(*) FROM pg_database;"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理</span></span><br><span class="line">pg_ctl -D <span class="variable">$TEST_DIR</span>/data stop</span><br><span class="line"><span class="built_in">rm</span> -rf <span class="variable">$TEST_DIR</span></span><br></pre></td></tr></table></figure><h2 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h2><h3 id="I-O优化"><a href="#I-O优化" class="headerlink" title="I/O优化"></a>I/O优化</h3><ol><li>文件系统优化:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 使用XFS文件系统</span></span><br><span class="line">mkfs.xfs -f -d agcount=16 -l size=128m /dev/sdb1</span><br><span class="line"></span><br><span class="line"><span class="comment"># 挂载选项</span></span><br><span class="line">mount -o noatime,nodiratime,logbufs=8 /dev/sdb1 /archive</span><br></pre></td></tr></table></figure><ol start="2"><li>I/O调度优化:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 设置I/O调度器</span></span><br><span class="line"><span class="built_in">echo</span> deadline > /sys/block/sda/queue/scheduler</span><br><span class="line"></span><br><span class="line"><span class="comment"># 调整预读大小</span></span><br><span class="line">blockdev --setra 16384 /dev/sda</span><br></pre></td></tr></table></figure></li></ol><h3 id="网络优化"><a href="#网络优化" class="headerlink" title="网络优化"></a>网络优化</h3><ol><li>TCP参数优化:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># /etc/sysctl.conf</span></span><br><span class="line">net.core.rmem_max = 16777216</span><br><span class="line">net.core.wmem_max = 16777216</span><br><span class="line">net.ipv4.tcp_rmem = 4096 87380 16777216</span><br><span class="line">net.ipv4.tcp_wmem = 4096 65536 16777216</span><br><span class="line">net.ipv4.tcp_window_scaling = 1</span><br></pre></td></tr></table></figure><ol start="2"><li>网络接口优化:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 调整网卡队列长度</span></span><br><span class="line">ethtool -G eth0 rx 4096 tx 4096</span><br><span class="line"></span><br><span class="line"><span class="comment"># 开启网卡多队列</span></span><br><span class="line">ethtool -L eth0 combined 4</span><br></pre></td></tr></table></figure><h2 id="监控与告警"><a href="#监控与告警" class="headerlink" title="监控与告警"></a>监控与告警</h2><ol><li>备份监控指标:</li></ol><figure class="highlight sql"><table><tr><td class="code"><pre><span class="line"><span class="comment">-- 备份延迟监控</span></span><br><span class="line"><span class="keyword">CREATE</span> <span class="keyword">OR</span> REPLACE <span class="keyword">FUNCTION</span> check_backup_delay()</span><br><span class="line"><span class="keyword">RETURNS</span> <span class="keyword">TABLE</span> (</span><br><span class="line"> backup_type text,</span><br><span class="line"> last_backup <span class="type">timestamp</span>,</span><br><span class="line"> delay_hours <span class="type">numeric</span>,</span><br><span class="line"> status text</span><br><span class="line">) <span class="keyword">AS</span> $$</span><br><span class="line"><span class="keyword">BEGIN</span></span><br><span class="line"> <span class="keyword">RETURN</span> QUERY</span><br><span class="line"> <span class="keyword">WITH</span> backup_status <span class="keyword">AS</span> (</span><br><span class="line"> <span class="keyword">SELECT</span></span><br><span class="line"> <span class="string">'Physical Backup'</span> <span class="keyword">as</span> type,</span><br><span class="line"> <span class="built_in">COALESCE</span>(</span><br><span class="line"> (<span class="keyword">SELECT</span> <span class="built_in">MAX</span>(modified_time)</span><br><span class="line"> <span class="keyword">FROM</span> pg_ls_dir_timestamp(<span class="string">'/backup/pg'</span>)),</span><br><span class="line"> <span class="string">'1970-01-01'</span>::<span class="type">timestamp</span></span><br><span class="line"> ) <span class="keyword">as</span> last_time</span><br><span class="line"> )</span><br><span class="line"> <span class="keyword">SELECT</span></span><br><span class="line"> type,</span><br><span class="line"> last_time,</span><br><span class="line"> <span class="built_in">EXTRACT</span>(EPOCH <span class="keyword">FROM</span> (now() <span class="operator">-</span> last_time))<span class="operator">/</span><span class="number">3600</span> <span class="keyword">as</span> hours,</span><br><span class="line"> <span class="keyword">CASE</span></span><br><span class="line"> <span class="keyword">WHEN</span> <span class="built_in">EXTRACT</span>(EPOCH <span class="keyword">FROM</span> (now() <span class="operator">-</span> last_time))<span class="operator">/</span><span class="number">3600</span> <span class="operator">></span> <span class="number">24</span> </span><br><span class="line"> <span class="keyword">THEN</span> <span class="string">'CRITICAL'</span></span><br><span class="line"> <span class="keyword">WHEN</span> <span class="built_in">EXTRACT</span>(EPOCH <span class="keyword">FROM</span> (now() <span class="operator">-</span> last_time))<span class="operator">/</span><span class="number">3600</span> <span class="operator">></span> <span class="number">12</span> </span><br><span class="line"> <span class="keyword">THEN</span> <span class="string">'WARNING'</span></span><br><span class="line"> <span class="keyword">ELSE</span> <span class="string">'OK'</span></span><br><span class="line"> <span class="keyword">END</span></span><br><span class="line"> <span class="keyword">FROM</span> backup_status;</span><br><span class="line"><span class="keyword">END</span>;</span><br><span class="line">$$ <span class="keyword">LANGUAGE</span> plpgsql;</span><br></pre></td></tr></table></figure><ol start="2"><li>告警集成:</li></ol><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> psycopg2</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">check_backup_status</span>():</span><br><span class="line"> conn = psycopg2.connect(<span class="string">"dbname=postgres"</span>)</span><br><span class="line"> cur = conn.cursor()</span><br><span class="line"> </span><br><span class="line"> cur.execute(<span class="string">"SELECT * FROM check_backup_delay()"</span>)</span><br><span class="line"> results = cur.fetchall()</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">for</span> result <span class="keyword">in</span> results:</span><br><span class="line"> <span class="keyword">if</span> result[<span class="number">3</span>] != <span class="string">'OK'</span>:</span><br><span class="line"> send_alert(<span class="string">f"Backup Alert: <span class="subst">{result[<span class="number">0</span>]}</span> is <span class="subst">{result[<span class="number">3</span>]}</span>, delay: <span class="subst">{result[<span class="number">2</span>]}</span> hours"</span>)</span><br><span class="line"> </span><br><span class="line"> conn.close()</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">send_alert</span>(<span class="params">message</span>):</span><br><span class="line"> webhook_url = <span class="string">"https://alert.example.com/webhook"</span></span><br><span class="line"> payload = {<span class="string">"text"</span>: message}</span><br><span class="line"> requests.post(webhook_url, json=payload)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> check_backup_status()</span><br></pre></td></tr></table></figure><h2 id="灾难恢复"><a href="#灾难恢复" class="headerlink" title="灾难恢复"></a>灾难恢复</h2><h3 id="恢复时间目标-RTO-评估"><a href="#恢复时间目标-RTO-评估" class="headerlink" title="恢复时间目标(RTO)评估"></a>恢复时间目标(RTO)评估</h3><ol><li><p>评估因素:</p><ul><li>数据库大小</li><li>可用网络带宽</li><li>存储性能</li><li>WAL重放速度</li></ul></li><li><p>计算公式:</p></li></ol><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">calculate_rto</span>(<span class="params">db_size_gb, network_speed_mbps, storage_iops</span>):</span><br><span class="line"> <span class="comment"># 传输时间</span></span><br><span class="line"> transfer_time = (db_size_gb * <span class="number">1024</span> * <span class="number">8</span>) / (network_speed_mbps * <span class="number">60</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 解压时间</span></span><br><span class="line"> decompress_time = db_size_gb * <span class="number">0.5</span> <span class="comment"># 估算值</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># WAL重放时间</span></span><br><span class="line"> wal_replay_time = db_size_gb * <span class="number">0.3</span> <span class="comment"># 估算值</span></span><br><span class="line"> </span><br><span class="line"> total_time = transfer_time + decompress_time + wal_replay_time</span><br><span class="line"> <span class="keyword">return</span> total_time</span><br></pre></td></tr></table></figure><h3 id="恢复演练"><a href="#恢复演练" class="headerlink" title="恢复演练"></a>恢复演练</h3><ol><li><p>演练计划:</p><ul><li>每季度进行一次完整恢复演练</li><li>每月进行一次部分数据恢复测试</li><li>记录并优化恢复流程</li></ul></li><li><p>演练文档模板:</p></li></ol><figure class="highlight markdown"><table><tr><td class="code"><pre><span class="line"><span class="section"># 恢复演练报告</span></span><br><span class="line"></span><br><span class="line"><span class="section">## 基本信息</span></span><br><span class="line"><span class="bullet">-</span> 演练日期:</span><br><span class="line"><span class="bullet">-</span> 演练环境:</span><br><span class="line"><span class="bullet">-</span> 数据库版本:</span><br><span class="line"><span class="bullet">-</span> 备份大小:</span><br><span class="line"></span><br><span class="line"><span class="section">## 恢复步骤</span></span><br><span class="line"><span class="bullet">1.</span> 准备阶段</span><br><span class="line"><span class="bullet"> -</span> [ ] 验证备份完整性</span><br><span class="line"><span class="bullet"> -</span> [ ] 准备恢复环境</span><br><span class="line"><span class="bullet"> -</span> [ ] 确认存储空间</span><br><span class="line"></span><br><span class="line"><span class="bullet">2.</span> 执行阶段</span><br><span class="line"><span class="bullet"> -</span> [ ] 解压备份文件</span><br><span class="line"><span class="bullet"> -</span> [ ] 配置恢复参数</span><br><span class="line"><span class="bullet"> -</span> [ ] 启动数据库</span><br><span class="line"><span class="bullet"> -</span> [ ] 验证数据一致性</span><br><span class="line"></span><br><span class="line"><span class="bullet">3.</span> 验证阶段</span><br><span class="line"><span class="bullet"> -</span> [ ] 检查系统表</span><br><span class="line"><span class="bullet"> -</span> [ ] 验证用户数据</span><br><span class="line"><span class="bullet"> -</span> [ ] 测试应用连接</span><br><span class="line"></span><br><span class="line"><span class="section">## 结果分析</span></span><br><span class="line"><span class="bullet">-</span> 恢复总耗时:</span><br><span class="line"><span class="bullet">-</span> 问题记录:</span><br><span class="line"><span class="bullet">-</span> 优化建议:</span><br></pre></td></tr></table></figure><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li>加密配置:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 使用GPG加密备份</span></span><br><span class="line">gpg --encrypt --recipient [email protected] base.tar.zst</span><br><span class="line"></span><br><span class="line"><span class="comment"># 或使用openssl</span></span><br><span class="line">openssl enc -aes-256-cbc -salt -<span class="keyword">in</span> base.tar.zst -out base.tar.zst.enc</span><br></pre></td></tr></table></figure><ol start="2"><li>访问控制:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 备份目录权限</span></span><br><span class="line"><span class="built_in">chmod</span> 700 /backup/pg</span><br><span class="line">setfacl -m u:postgres:rx /backup/pg</span><br><span class="line"></span><br><span class="line"><span class="comment"># 加密密钥管理</span></span><br><span class="line">gpg --gen-key</span><br><span class="line">gpg --export-secret-keys --armor > backup-key.asc</span><br></pre></td></tr></table></figure><h3 id="存储管理"><a href="#存储管理" class="headerlink" title="存储管理"></a>存储管理</h3><ol><li>备份压缩率监控:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line"><span class="comment"># 监控备份压缩效率</span></span><br><span class="line"><span class="keyword">for</span> backup <span class="keyword">in</span> /backup/pg/*/base.tar.zst; <span class="keyword">do</span></span><br><span class="line"> original_size=$(zstd -l <span class="string">"<span class="variable">$backup</span>"</span> | awk <span class="string">'NR==4 {print $4}'</span>)</span><br><span class="line"> compressed_size=$(zstd -l <span class="string">"<span class="variable">$backup</span>"</span> | awk <span class="string">'NR==4 {print $2}'</span>)</span><br><span class="line"> ratio=$(<span class="built_in">echo</span> <span class="string">"scale=2; <span class="variable">$compressed_size</span>/<span class="variable">$original_size</span> * 100"</span> | bc)</span><br><span class="line"> <span class="built_in">echo</span> <span class="string">"<span class="variable">$backup</span>: <span class="variable">$ratio</span>% of original size"</span></span><br><span class="line"><span class="keyword">done</span></span><br></pre></td></tr></table></figure><ol start="2"><li>存储空间预测:</li></ol><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> psutil</span><br><span class="line"><span class="keyword">import</span> datetime</span><br><span class="line"><span class="keyword">import</span> numpy <span class="keyword">as</span> np</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">predict_storage_usage</span>(<span class="params">backup_dir, days=<span class="number">30</span></span>):</span><br><span class="line"> <span class="comment"># 获取历史使用数据</span></span><br><span class="line"> usage_data = []</span><br><span class="line"> <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(days):</span><br><span class="line"> usage = psutil.disk_usage(backup_dir).used</span><br><span class="line"> usage_data.append(usage)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 线性回归预测</span></span><br><span class="line"> X = np.arange(days).reshape(-<span class="number">1</span>, <span class="number">1</span>)</span><br><span class="line"> y = np.array(usage_data)</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">from</span> sklearn.linear_model <span class="keyword">import</span> LinearRegression</span><br><span class="line"> model = LinearRegression()</span><br><span class="line"> model.fit(X, y)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 预测下一周期</span></span><br><span class="line"> future_days = np.arange(days, days+<span class="number">7</span>).reshape(-<span class="number">1</span>, <span class="number">1</span>)</span><br><span class="line"> predictions = model.predict(future_days)</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">return</span> predictions</span><br></pre></td></tr></table></figure><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本文档提供了PostgreSQL数据库备份与恢复的完整解决方案,包括PITR和物理备份两种方案的详细配置、监控、优化和最佳实践。建议根据实际需求选择合适的备份策略,并定期进行恢复演练以确保数据安全。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了PostgreSQL数据库的两种主要备份方案:基于归档日志的PITR和基于pg_basebackup的物理备份。文档涵盖了系统配置、性能优化、监控告警、灾难恢复等完整解决方案,并提供了详细的脚本示例和最佳实践建议,帮助数据库管理员实现可靠的数据备份与恢复策略。</p></summary>
<category term="PostgreSQL" scheme="https://freemankevin.uk/categories/PostgreSQL/"/>
<category term="Backup" scheme="https://freemankevin.uk/tags/Backup/"/>
<category term="PITR" scheme="https://freemankevin.uk/tags/PITR/"/>
<category term="PostgreSQL" scheme="https://freemankevin.uk/tags/PostgreSQL/"/>
</entry>
<entry>
<title>MinIO 数据同步与迁移指南</title>
<link href="https://freemankevin.uk/2025/01/15/backup-minio/"/>
<id>https://freemankevin.uk/2025/01/15/backup-minio/</id>
<published>2025-01-15T07:57:25.000Z</published>
<updated>2025-01-15T07:57:54.495Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了MinIO对象存储服务的数据同步和迁移方案,重点关注2022年6月前后版本的存储结构差异。文档涵盖了同版本同步、跨版本迁移、原地升级和双机迁移等多种场景的具体操作方法,并提供了完整的命令示例和注意事项,帮助运维人员安全可靠地完成MinIO数据迁移工作。</p><span id="more"></span><h2 id="版本特性对比"><a href="#版本特性对比" class="headerlink" title="版本特性对比"></a>版本特性对比</h2><h3 id="存储结构演进"><a href="#存储结构演进" class="headerlink" title="存储结构演进"></a>存储结构演进</h3><ol><li><p>2019年及以前版本:</p><ul><li>采用直接文件存储模式</li><li>简单的Web界面</li><li>基础的存储功能</li></ul></li><li><p>2020-2022.5版本:</p><ul><li>保持直接文件存储模式</li><li>改进的Web界面</li><li>引入Console端口配置<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">command:</span> <span class="string">server</span> <span class="string">/data</span> <span class="string">--console-address</span> <span class="string">":9001"</span></span><br></pre></td></tr></table></figure></li></ul></li><li><p>2022.6及以后版本:</p><ul><li>采用目录化存储结构</li><li>完整的Web控制台</li><li>增强的管理功能</li><li>元数据分离存储</li></ul></li></ol><h2 id="数据同步方案"><a href="#数据同步方案" class="headerlink" title="数据同步方案"></a>数据同步方案</h2><h3 id="同版本同步"><a href="#同版本同步" class="headerlink" title="同版本同步"></a>同版本同步</h3><ol><li><p>数据文件同步:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 同步桶数据</span></span><br><span class="line"><span class="built_in">cp</span> -r /source/bucket/* /target/bucket/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 同步元数据</span></span><br><span class="line"><span class="built_in">cp</span> -r /source/.minio.sys /target/</span><br></pre></td></tr></table></figure></li><li><p>权限维护:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 确保权限正确</span></span><br><span class="line"><span class="built_in">chown</span> -R minio:minio /target/bucket</span><br><span class="line"><span class="built_in">chmod</span> -R 750 /target/bucket</span><br></pre></td></tr></table></figure></li></ol><h3 id="跨版本迁移"><a href="#跨版本迁移" class="headerlink" title="跨版本迁移"></a>跨版本迁移</h3><ol><li><p>环境准备:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 下载MinIO客户端</span></span><br><span class="line">wget https://dl.min.io/client/mc/release/linux-amd64/mc</span><br><span class="line"></span><br><span class="line"><span class="comment"># 配置执行权限</span></span><br><span class="line"><span class="built_in">chmod</span> +x mc</span><br></pre></td></tr></table></figure></li><li><p>配置服务端点:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 配置源服务器</span></span><br><span class="line">./mc <span class="built_in">alias</span> <span class="built_in">set</span> source-minio http://source-ip:9000 access-key secret-key</span><br><span class="line"></span><br><span class="line"><span class="comment"># 配置目标服务器</span></span><br><span class="line">./mc <span class="built_in">alias</span> <span class="built_in">set</span> target-minio http://target-ip:9000 access-key secret-key</span><br></pre></td></tr></table></figure></li><li><p>数据迁移:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 列出源桶</span></span><br><span class="line">./mc <span class="built_in">ls</span> source-minio</span><br><span class="line"></span><br><span class="line"><span class="comment"># 列出目标桶</span></span><br><span class="line">./mc <span class="built_in">ls</span> target-minio</span><br><span class="line"></span><br><span class="line"><span class="comment"># 执行迁移</span></span><br><span class="line">./mc mirror source-minio/source-bucket target-minio/target-bucket</span><br></pre></td></tr></table></figure></li></ol><h2 id="升级策略"><a href="#升级策略" class="headerlink" title="升级策略"></a>升级策略</h2><h3 id="原地升级方案"><a href="#原地升级方案" class="headerlink" title="原地升级方案"></a>原地升级方案</h3><ol><li><p>准备工作:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 备份现有数据</span></span><br><span class="line">tar -czf minio-backup.tar.gz /path/to/minio/data</span><br><span class="line"></span><br><span class="line"><span class="comment"># 停止现有服务</span></span><br><span class="line">docker-compose down</span><br></pre></td></tr></table></figure></li><li><p>部署新版本:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 修改docker-compose.yml</span></span><br><span class="line">version: <span class="string">'3'</span></span><br><span class="line">services:</span><br><span class="line"> minio:</span><br><span class="line"> image: minio/minio:latest</span><br><span class="line"> ports:</span><br><span class="line"> - <span class="string">"9000:9000"</span></span><br><span class="line"> - <span class="string">"9001:9001"</span></span><br><span class="line"> volumes:</span><br><span class="line"> - ./data:/data</span><br><span class="line"> <span class="built_in">command</span>: server /data --console-address <span class="string">":9001"</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="双机迁移方案"><a href="#双机迁移方案" class="headerlink" title="双机迁移方案"></a>双机迁移方案</h3><ol><li><p>新环境部署:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 部署新版MinIO</span></span><br><span class="line">docker-compose up -d</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证服务状态</span></span><br><span class="line">curl http://new-minio:9000/minio/health</span><br></pre></td></tr></table></figure></li><li><p>数据迁移:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 执行增量同步</span></span><br><span class="line">./mc mirror --watch source-minio/bucket target-minio/bucket</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证数据一致性</span></span><br><span class="line">./mc diff source-minio/bucket target-minio/bucket</span><br></pre></td></tr></table></figure></li></ol><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><ol><li><p>存储兼容性:</p><ul><li>2022.6前后版本存储结构差异显著</li><li>需要使用mc工具进行数据转换</li><li>确保数据完整性验证</li></ul></li><li><p>性能考虑:</p><ul><li>大规模数据迁移需要评估网络带宽</li><li>建议使用压缩传输</li><li>考虑分批迁移策略</li></ul></li><li><p>业务影响:</p><ul><li>评估业务停机时间</li><li>准备回滚方案</li><li>确保配置文件同步更新</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本文档提供了完整的MinIO数据同步与迁移方案,重点解决了版本差异带来的存储结构变化问题。通过合理使用mc工具,可以实现安全可靠的数据迁移。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了MinIO对象存储服务的数据同步和迁移方案,重点关注2022年6月前后版本的存储结构差异。文档涵盖了同版本同步、跨版本迁移、原地升级和双机迁移等多种场景的具体操作方法,并提供了完整的命令示例和注意事项,帮助运维人员安全可靠地完成MinIO数据迁移工作。</p></summary>
<category term="MinIO" scheme="https://freemankevin.uk/categories/MinIO/"/>
<category term="Docker" scheme="https://freemankevin.uk/tags/Docker/"/>
<category term="Backup" scheme="https://freemankevin.uk/tags/Backup/"/>
<category term="MinIO" scheme="https://freemankevin.uk/tags/MinIO/"/>
</entry>
<entry>
<title>公网项目访问速度优化指南</title>
<link href="https://freemankevin.uk/2025/01/14/slow-project/"/>
<id>https://freemankevin.uk/2025/01/14/slow-project/</id>
<published>2025-01-14T08:44:25.000Z</published>
<updated>2025-01-14T08:47:21.246Z</updated>
<content type="html"><![CDATA[<p> 本文提供了全面的公网项目访问速度优化指南,包括网络性能测试、DNS解析检查、服务器性能分析、Web服务优化等内容。同时整合了国内外主流测试平台工具,并提供了性能监控和持续优化的建议。适合运维人员进行网站性能优化参考。</p><span id="more"></span><h2 id="问题诊断"><a href="#问题诊断" class="headerlink" title="问题诊断"></a>问题诊断</h2><h3 id="网络性能测试"><a href="#网络性能测试" class="headerlink" title="网络性能测试"></a>网络性能测试</h3><ol><li><p>带宽测试:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 使用speedtest-cli测试带宽</span></span><br><span class="line">apt-get install speedtest-cli <span class="comment"># Debian/Ubuntu</span></span><br><span class="line">yum install speedtest-cli <span class="comment"># RedHat/CentOS</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 执行测试</span></span><br><span class="line">speedtest-cli --server 测试节点ID</span><br><span class="line">speedtest-cli --list <span class="comment"># 列出所有测试节点</span></span><br></pre></td></tr></table></figure></li><li><p>网络延迟测试:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ICMP延迟测试</span></span><br><span class="line">ping -c 10 目标域名</span><br><span class="line"></span><br><span class="line"><span class="comment"># TCP延迟测试</span></span><br><span class="line">tcping 目标IP 目标端口</span><br><span class="line"></span><br><span class="line"><span class="comment"># 路由追踪</span></span><br><span class="line">traceroute 目标域名</span><br><span class="line">mtr 目标域名</span><br></pre></td></tr></table></figure></li></ol><h3 id="DNS解析检查"><a href="#DNS解析检查" class="headerlink" title="DNS解析检查"></a>DNS解析检查</h3><ol><li><p>DNS解析测试:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查DNS解析时间</span></span><br><span class="line">dig +trace 目标域名</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查本地DNS缓存</span></span><br><span class="line">systemd-resolve --statistics</span><br><span class="line">nscd -g</span><br></pre></td></tr></table></figure></li><li><p>DNS配置优化:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 修改DNS服务器</span></span><br><span class="line"><span class="built_in">cat</span> > /etc/resolv.conf << <span class="string">EOF</span></span><br><span class="line"><span class="string">nameserver 223.5.5.5</span></span><br><span class="line"><span class="string">nameserver 119.29.29.29</span></span><br><span class="line"><span class="string">EOF</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="性能分析"><a href="#性能分析" class="headerlink" title="性能分析"></a>性能分析</h2><h3 id="服务器性能"><a href="#服务器性能" class="headerlink" title="服务器性能"></a>服务器性能</h3><ol><li><p>系统资源监控:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># CPU使用率</span></span><br><span class="line">top -bn1 | grep <span class="string">"Cpu(s)"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 内存使用</span></span><br><span class="line">free -m</span><br><span class="line"></span><br><span class="line"><span class="comment"># 磁盘IO</span></span><br><span class="line">iostat -x 1 10</span><br><span class="line"></span><br><span class="line"><span class="comment"># 网络IO</span></span><br><span class="line">sar -n DEV 1 10</span><br></pre></td></tr></table></figure></li><li><p>网络配置检查:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查网卡配置</span></span><br><span class="line">ethtool eth0</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查网络连接状态</span></span><br><span class="line">netstat -s</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查TCP配置</span></span><br><span class="line">sysctl -a | grep net.ipv4.tcp</span><br></pre></td></tr></table></figure></li></ol><h3 id="应用性能"><a href="#应用性能" class="headerlink" title="应用性能"></a>应用性能</h3><ol><li><p>Web服务器检查:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Nginx状态</span></span><br><span class="line">nginx -V</span><br><span class="line">curl localhost/nginx_status</span><br><span class="line"></span><br><span class="line"><span class="comment"># Apache状态</span></span><br><span class="line">apache2ctl -V</span><br><span class="line">curl localhost/server-status</span><br></pre></td></tr></table></figure></li><li><p>应用日志分析:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 错误日志检查</span></span><br><span class="line"><span class="built_in">tail</span> -f /var/log/nginx/error.log</span><br><span class="line">grep -i <span class="string">"slow"</span> /var/log/nginx/access.log</span><br></pre></td></tr></table></figure></li></ol><h2 id="优化方案"><a href="#优化方案" class="headerlink" title="优化方案"></a>优化方案</h2><h3 id="服务器优化"><a href="#服务器优化" class="headerlink" title="服务器优化"></a>服务器优化</h3><ol><li><p>系统参数调优:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># TCP优化</span></span><br><span class="line"><span class="built_in">cat</span> >> /etc/sysctl.conf << <span class="string">EOF</span></span><br><span class="line"><span class="string">net.ipv4.tcp_fin_timeout = 30</span></span><br><span class="line"><span class="string">net.ipv4.tcp_keepalive_time = 1200</span></span><br><span class="line"><span class="string">net.ipv4.tcp_max_syn_backlog = 8192</span></span><br><span class="line"><span class="string">net.ipv4.tcp_tw_reuse = 1</span></span><br><span class="line"><span class="string">EOF</span></span><br><span class="line">sysctl -p</span><br></pre></td></tr></table></figure></li><li><p>Web服务器优化:</p><figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Nginx配置优化</span></span><br><span class="line"><span class="attribute">worker_processes</span> auto;</span><br><span class="line"><span class="attribute">worker_rlimit_nofile</span> <span class="number">65535</span>;</span><br><span class="line"><span class="section">events</span> {</span><br><span class="line"> <span class="attribute">worker_connections</span> <span class="number">65535</span>;</span><br><span class="line"> <span class="attribute">use</span> <span class="literal">epoll</span>;</span><br><span class="line"> <span class="attribute">multi_accept</span> <span class="literal">on</span>;</span><br><span class="line">}</span><br><span class="line"><span class="section">http</span> {</span><br><span class="line"> <span class="attribute">keepalive_timeout</span> <span class="number">65</span>;</span><br><span class="line"> <span class="attribute">client_max_body_size</span> <span class="number">50m</span>;</span><br><span class="line"> <span class="attribute">gzip</span> <span class="literal">on</span>;</span><br><span class="line"> <span class="attribute">gzip_types</span> text/plain application/javascript text/css;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></li></ol><h3 id="CDN加速"><a href="#CDN加速" class="headerlink" title="CDN加速"></a>CDN加速</h3><ol><li><p>CDN配置检查:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查CDN解析</span></span><br><span class="line">dig 域名 @CDN提供商DNS</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查CDN缓存</span></span><br><span class="line">curl -I https://域名/资源路径</span><br></pre></td></tr></table></figure></li><li><p>缓存策略优化:</p><figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Nginx缓存配置</span></span><br><span class="line"><span class="section">location</span> <span class="regexp">~* \.(jpg|jpeg|png|gif|ico|css|js)$</span> {</span><br><span class="line"> <span class="attribute">expires</span> <span class="number">7d</span>;</span><br><span class="line"> <span class="attribute">add_header</span> Cache-Control <span class="string">"public, no-transform"</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></li></ol><h3 id="在线测试工具"><a href="#在线测试工具" class="headerlink" title="在线测试工具"></a>在线测试工具</h3><ol><li><p>国内测试平台:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 站长工具</span></span><br><span class="line">https://tool.chinaz.com/speedtest/ <span class="comment"># 国内多节点速度测试</span></span><br><span class="line">https://tool.chinaz.com/dns/ <span class="comment"># DNS查询</span></span><br><span class="line">https://tool.chinaz.com/sitespeed/ <span class="comment"># 网站速度测试</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 17CE</span></span><br><span class="line">https://www.17ce.com/site <span class="comment"># 全国多地区测速</span></span><br><span class="line">https://www.17ce.com/dns <span class="comment"># DNS解析测试</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 腾讯云工具</span></span><br><span class="line">https://tools.cloud.tencent.com/ <span class="comment"># 网站性能分析</span></span><br></pre></td></tr></table></figure></li><li><p>国际测试平台:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># GTmetrix</span></span><br><span class="line">https://gtmetrix.com/</span><br><span class="line">- 提供详细的性能分析报告</span><br><span class="line">- 支持多地区测试点</span><br><span class="line">- 页面加载瀑布图分析</span><br><span class="line"></span><br><span class="line"><span class="comment"># Pingdom</span></span><br><span class="line">https://tools.pingdom.com/</span><br><span class="line">- 全球节点测试</span><br><span class="line">- 历史数据对比</span><br><span class="line">- 性能评分分析</span><br><span class="line"></span><br><span class="line"><span class="comment"># WebPageTest</span></span><br><span class="line">https://www.webpagetest.org/</span><br><span class="line">- 支持移动端测试</span><br><span class="line">- 首次访问和二次访问对比</span><br><span class="line">- 详细的资源加载分析</span><br></pre></td></tr></table></figure></li><li><p>测试指标说明:</p><ul><li>TTFB (Time To First Byte): < 200ms</li><li>DNS解析时间: < 20ms</li><li>页面加载时间: < 2s</li><li>资源响应时间: < 500ms</li><li>SSL协商时间: < 100ms</li></ul></li><li><p>在线工具使用建议:</p><ul><li>选择多个工具交叉验证</li><li>在不同时段进行测试</li><li>记录并对比历史数据</li><li>关注竞品网站性能</li></ul></li></ol><h2 id="监控方案"><a href="#监控方案" class="headerlink" title="监控方案"></a>监控方案</h2><h3 id="性能监控"><a href="#性能监控" class="headerlink" title="性能监控"></a>性能监控</h3><ol><li><p>监控指标:</p><ul><li>页面加载时间(TTFB)</li><li>DNS解析时间</li><li>TCP连接时间</li><li>服务器响应时间</li><li>资源加载时间</li></ul></li><li><p>告警配置:</p><ul><li>响应时间超过500ms</li><li>错误率超过1%</li><li>CPU使用率超过80%</li><li>内存使用率超过85%</li></ul></li></ol><h3 id="持续优化"><a href="#持续优化" class="headerlink" title="持续优化"></a>持续优化</h3><ol><li><p>定期检查:</p><ul><li>每周性能报告</li><li>每月优化评估</li><li>季度容量规划</li><li>年度架构评审</li></ul></li><li><p>应急预案:</p><ul><li>快速扩容方案</li><li>降级策略</li><li>故障转移</li><li>备份恢复</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本文档提供了全面的公网项目访问速度优化指南,包括问题诊断、性能分析、优化方案和监控建议。建议根据实际情况选择合适的优化策略,并持续监控和改进。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文提供了全面的公网项目访问速度优化指南,包括网络性能测试、DNS解析检查、服务器性能分析、Web服务优化等内容。同时整合了国内外主流测试平台工具,并提供了性能监控和持续优化的建议。适合运维人员进行网站性能优化参考。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="NGINX" scheme="https://freemankevin.uk/tags/NGINX/"/>
</entry>
<entry>
<title>Docker 环境清理</title>
<link href="https://freemankevin.uk/2025/01/14/clean-docker/"/>
<id>https://freemankevin.uk/2025/01/14/clean-docker/</id>
<published>2025-01-14T07:44:25.000Z</published>
<updated>2025-01-14T08:13:52.501Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了如何彻底清理Docker环境,分别针对RedHat/CentOS和Debian/Ubuntu系列系统提供了具体的操作步骤。包括环境检查、数据备份、服务停止、资源清理、软件包卸载等内容,帮助用户安全、完整地清理Docker环境。执行清理前请务必做好数据备份工作。</p><span id="more"></span><h2 id="前置准备"><a href="#前置准备" class="headerlink" title="前置准备"></a>前置准备</h2><h3 id="环境检查"><a href="#环境检查" class="headerlink" title="环境检查"></a>环境检查</h3><ol><li>检查Docker安装信息:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查Docker版本和安装方式</span></span><br><span class="line">docker version</span><br><span class="line">docker info</span><br><span class="line"></span><br><span class="line"><span class="comment"># RedHat/CentOS系列</span></span><br><span class="line">rpm -qa | grep docker</span><br><span class="line"></span><br><span class="line"><span class="comment"># Debian/Ubuntu系列</span></span><br><span class="line">dpkg -l | grep docker</span><br></pre></td></tr></table></figure></li></ol><h3 id="数据备份"><a href="#数据备份" class="headerlink" title="数据备份"></a>数据备份</h3><ol><li>通用备份步骤:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建备份目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p /backup/docker/$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line"><span class="built_in">cd</span> /backup/docker/$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 导出容器和镜像</span></span><br><span class="line">docker ps -a --format <span class="string">"{{.Names}}"</span> | <span class="keyword">while</span> <span class="built_in">read</span> container; <span class="keyword">do</span></span><br><span class="line"> docker <span class="built_in">export</span> <span class="string">"<span class="variable">$container</span>"</span> > <span class="string">"<span class="variable">${container}</span>.tar"</span></span><br><span class="line"><span class="keyword">done</span></span><br><span class="line"></span><br><span class="line">docker images --format <span class="string">"{{.Repository}}:{{.Tag}}"</span> | <span class="keyword">while</span> <span class="built_in">read</span> image; <span class="keyword">do</span></span><br><span class="line"> docker save <span class="string">"<span class="variable">$image</span>"</span> > <span class="string">"<span class="variable">${image//\//_}</span>.tar"</span></span><br><span class="line"><span class="keyword">done</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份配置</span></span><br><span class="line">tar -czf docker-config-$(<span class="built_in">date</span> +%Y%m%d).tar.gz /etc/docker</span><br><span class="line">tar -czf docker-data-$(<span class="built_in">date</span> +%Y%m%d).tar.gz /var/lib/docker</span><br></pre></td></tr></table></figure></li></ol><h2 id="RedHat-CentOS系列清理"><a href="#RedHat-CentOS系列清理" class="headerlink" title="RedHat/CentOS系列清理"></a>RedHat/CentOS系列清理</h2><h3 id="基础清理"><a href="#基础清理" class="headerlink" title="基础清理"></a>基础清理</h3><ol><li><p>停止服务:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 停止容器和服务</span></span><br><span class="line">docker stop $(docker ps -aq)</span><br><span class="line">systemctl stop docker</span><br><span class="line">systemctl stop containerd</span><br></pre></td></tr></table></figure></li><li><p>清理资源:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 清理容器资源</span></span><br><span class="line">docker <span class="built_in">rm</span> -f $(docker ps -aq)</span><br><span class="line">docker rmi -f $(docker images -aq)</span><br><span class="line">docker volume <span class="built_in">rm</span> $(docker volume <span class="built_in">ls</span> -q)</span><br><span class="line">docker network <span class="built_in">rm</span> $(docker network <span class="built_in">ls</span> -q)</span><br></pre></td></tr></table></figure></li></ol><h3 id="系统清理"><a href="#系统清理" class="headerlink" title="系统清理"></a>系统清理</h3><ol><li><p>卸载软件包:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 移除Docker包</span></span><br><span class="line">yum remove -y docker \</span><br><span class="line"> docker-client \</span><br><span class="line"> docker-client-latest \</span><br><span class="line"> docker-common \</span><br><span class="line"> docker-latest \</span><br><span class="line"> docker-latest-logrotate \</span><br><span class="line"> docker-logrotate \</span><br><span class="line"> docker-engine \</span><br><span class="line"> docker-ce \</span><br><span class="line"> docker-ce-cli \</span><br><span class="line"> containerd.io \</span><br><span class="line"> docker-compose-plugin</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理依赖</span></span><br><span class="line">yum autoremove -y</span><br><span class="line">yum clean all</span><br></pre></td></tr></table></figure></li><li><p>清理文件:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 清理数据和配置</span></span><br><span class="line"><span class="built_in">rm</span> -rf /var/lib/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /data/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /etc/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /etc/systemd/system/docker.service.d</span><br><span class="line"><span class="built_in">rm</span> -rf /var/run/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /var/run/docker.sock</span><br><span class="line"><span class="built_in">rm</span> -rf /var/log/docker</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理yum仓库</span></span><br><span class="line"><span class="built_in">rm</span> -rf /etc/yum.repos.d/docker-ce.repo</span><br></pre></td></tr></table></figure></li></ol><h2 id="Debian-Ubuntu系列清理"><a href="#Debian-Ubuntu系列清理" class="headerlink" title="Debian/Ubuntu系列清理"></a>Debian/Ubuntu系列清理</h2><h3 id="基础清理-1"><a href="#基础清理-1" class="headerlink" title="基础清理"></a>基础清理</h3><ol><li><p>停止服务:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 停止容器和服务</span></span><br><span class="line">docker stop $(docker ps -aq)</span><br><span class="line">systemctl stop docker</span><br><span class="line">systemctl stop containerd</span><br></pre></td></tr></table></figure></li><li><p>清理资源:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 清理容器资源</span></span><br><span class="line">docker <span class="built_in">rm</span> -f $(docker ps -aq)</span><br><span class="line">docker rmi -f $(docker images -aq)</span><br><span class="line">docker volume <span class="built_in">rm</span> $(docker volume <span class="built_in">ls</span> -q)</span><br><span class="line">docker network <span class="built_in">rm</span> $(docker network <span class="built_in">ls</span> -q)</span><br></pre></td></tr></table></figure></li></ol><h3 id="系统清理-1"><a href="#系统清理-1" class="headerlink" title="系统清理"></a>系统清理</h3><ol><li><p>卸载软件包:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 移除Docker包</span></span><br><span class="line">apt-get purge -y docker-ce \</span><br><span class="line"> docker-ce-cli \</span><br><span class="line"> containerd.io \</span><br><span class="line"> docker-compose-plugin \</span><br><span class="line"> docker-ce-rootless-extras</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理依赖</span></span><br><span class="line">apt-get autoremove -y</span><br><span class="line">apt-get clean</span><br></pre></td></tr></table></figure></li><li><p>清理文件:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 清理数据和配置</span></span><br><span class="line"><span class="built_in">rm</span> -rf /var/lib/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /data/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /etc/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /etc/systemd/system/docker.service.d</span><br><span class="line"><span class="built_in">rm</span> -rf /var/run/docker</span><br><span class="line"><span class="built_in">rm</span> -rf /var/run/docker.sock</span><br><span class="line"><span class="built_in">rm</span> -rf /var/log/docker</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理apt仓库</span></span><br><span class="line"><span class="built_in">rm</span> -rf /etc/apt/sources.list.d/docker.list</span><br><span class="line"><span class="built_in">rm</span> -rf /etc/apt/sources.list.d/docker.list.save</span><br></pre></td></tr></table></figure></li></ol><h2 id="环境验证"><a href="#环境验证" class="headerlink" title="环境验证"></a>环境验证</h2><h3 id="清理验证"><a href="#清理验证" class="headerlink" title="清理验证"></a>清理验证</h3><ol><li>进程检查:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查进程</span></span><br><span class="line">ps aux | grep -i docker</span><br><span class="line">ps aux | grep -i containerd</span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查端口</span></span><br><span class="line">netstat -tulpn | grep -E <span class="string">"docker|containerd"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 检查文件</span></span><br><span class="line">find / -name <span class="string">"*docker*"</span></span><br><span class="line">find / -name <span class="string">"*containerd*"</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本文档提供了针对RedHat/CentOS和Debian/Ubuntu系列系统的Docker环境清理指南,包括完整的清理流程和验证步骤。建议在执行清理操作前做好充分的备份工作。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了如何彻底清理Docker环境,分别针对RedHat&#x2F;CentOS和Debian&#x2F;Ubuntu系列系统提供了具体的操作步骤。包括环境检查、数据备份、服务停止、资源清理、软件包卸载等内容,帮助用户安全、完整地清理Docker环境。执行清理前请务必做好数据备份工作。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Docker" scheme="https://freemankevin.uk/tags/Docker/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
</entry>
<entry>
<title>Docker 日志管理面板- UI 界面部署指南</title>
<link href="https://freemankevin.uk/2025/01/14/dozzle/"/>
<id>https://freemankevin.uk/2025/01/14/dozzle/</id>
<published>2025-01-14T06:44:25.000Z</published>
<updated>2025-01-14T07:40:25.162Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了Docker日志管理面板Dozzle的部署与使用,包括服务端/客户端部署配置、安全加固、日志管理、性能监控等核心功能。通过合理配置,可以实现多容器日志的集中管理、实时监控和分析,适合团队进行Docker容器的日志管理与问题排查。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li><p>系统要求:</p><ul><li>Docker >= 20.10.x</li><li>Docker Compose >= 2.x</li><li>支持架构: AMD64、ARM64</li><li>内存: 2GB及以上</li><li>CPU: 2核心及以上</li></ul></li><li><p>网络要求:</p><ul><li>服务端端口: 8080</li><li>客户端端口: 7007</li><li>服务端与客户端需要网络互通</li></ul></li></ol><h3 id="在线部署"><a href="#在线部署" class="headerlink" title="在线部署"></a>在线部署</h3><ol><li><p>服务端部署:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># docker-compose.yml</span></span><br><span class="line"><span class="attr">version:</span> <span class="string">'3'</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">dozzle:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">amir20/dozzle:latest</span></span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">dozzle</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_HOSTNAME=server.example.com</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_REMOTE_AGENT=agent.example.com:7007</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_AUTH=true</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_USERNAME=admin</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">[email protected]</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">TZ=Asia/Shanghai</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./data:/data</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"8080:8080"</span></span><br></pre></td></tr></table></figure></li><li><p>客户端部署:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># docker-compose.yml</span></span><br><span class="line"><span class="attr">version:</span> <span class="string">'3'</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">dozzle-agent:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">amir20/dozzle-agent:latest</span></span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">dozzle-agent</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_HOSTNAME=agent.example.com</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">TZ=Asia/Shanghai</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock:ro</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"7007:7007"</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="高级配置"><a href="#高级配置" class="headerlink" title="高级配置"></a>高级配置</h2><h3 id="安全配置"><a href="#安全配置" class="headerlink" title="安全配置"></a>安全配置</h3><ol><li><p>用户认证:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_AUTH=true</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_AUTH_PROVIDER=basic</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_USERNAME=admin</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_PASSWORD_HASH=${HASHED_PASSWORD}</span></span><br></pre></td></tr></table></figure></li><li><p>SSL配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_ADDR=:8443</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_SSL=true</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_SSL_CERT=/certs/cert.pem</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_SSL_KEY=/certs/key.pem</span></span><br><span class="line"><span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./certs:/certs:ro</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="日志配置"><a href="#日志配置" class="headerlink" title="日志配置"></a>日志配置</h3><ol><li><p>日志保留策略:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_TAILSIZE=1000</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_FILTER=.*</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_LEVEL=info</span></span><br></pre></td></tr></table></figure></li><li><p>高级过滤:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_FILTER_CONTAINERS=app*</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_FILTER_SERVICES=web*,api*</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_EXCLUDE=*-tmp</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="功能使用"><a href="#功能使用" class="headerlink" title="功能使用"></a>功能使用</h2><h3 id="基础功能"><a href="#基础功能" class="headerlink" title="基础功能"></a>基础功能</h3><ol><li><p>日志查看:</p><ul><li>实时日志跟踪</li><li>多容器日志聚合</li><li>日志搜索(Ctrl+K)</li><li>日志下载</li></ul></li><li><p>容器管理:</p><ul><li>查看容器状态</li><li>监控资源使用</li><li>查看环境变量</li><li>查看容器配置</li></ul></li></ol><h3 id="高级功能"><a href="#高级功能" class="headerlink" title="高级功能"></a>高级功能</h3><ol><li><p>日志分析:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 正则表达式搜索</span></span><br><span class="line">(?i)error|warning|failed</span><br><span class="line"></span><br><span class="line"><span class="comment"># 时间范围过滤</span></span><br><span class="line">@<span class="keyword">time</span>[2024-03-14 10:00:00 TO 2024-03-14 11:00:00]</span><br><span class="line"></span><br><span class="line"><span class="comment"># 组合查询</span></span><br><span class="line">service:api AND level:error</span><br></pre></td></tr></table></figure></li><li><p>性能监控:</p><ul><li>CPU使用率趋势</li><li>内存占用分析</li><li>网络IO统计</li><li>磁盘使用监控</li></ul></li></ol><h3 id="自动化集成"><a href="#自动化集成" class="headerlink" title="自动化集成"></a>自动化集成</h3><ol><li><p>API集成:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 获取日志</span></span><br><span class="line">curl -u admin:password http://localhost:8080/api/logs/container_id</span><br><span class="line"></span><br><span class="line"><span class="comment"># 导出日志</span></span><br><span class="line">curl -X POST http://localhost:8080/api/export/container_id</span><br></pre></td></tr></table></figure></li><li><p>告警集成:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_ALERT_ENDPOINT=http://alert-service:8080/webhook</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_ALERT_LEVEL=error</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">DOZZLE_ALERT_INTERVAL=5m</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>日志管理:</p><ul><li>实施日志轮转</li><li>配置合适的缓冲区</li><li>使用高效的存储方式</li><li>定期清理旧日志</li></ul></li><li><p>资源控制:</p><ul><li>限制日志大小</li><li>控制并发连接数</li><li>优化查询性能</li><li>实施缓存策略</li></ul></li></ol><h3 id="安全加固"><a href="#安全加固" class="headerlink" title="安全加固"></a>安全加固</h3><ol><li><p>访问控制:</p><ul><li>启用认证</li><li>配置SSL/TLS</li><li>实施IP限制</li><li>审计日志记录</li></ul></li><li><p>数据安全:</p><ul><li>加密敏感信息</li><li>定期备份数据</li><li>实施最小权限</li><li>监控异常访问</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Dozzle提供了强大的Docker日志管理能力,通过合理配置可以显著提升容器日志的管理效率。本文档涵盖了从基础部署到高级特性的完整配置指南,建议根据实际需求选择性启用功能。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了Docker日志管理面板Dozzle的部署与使用,包括服务端&#x2F;客户端部署配置、安全加固、日志管理、性能监控等核心功能。通过合理配置,可以实现多容器日志的集中管理、实时监控和分析,适合团队进行Docker容器的日志管理与问题排查。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Docker" scheme="https://freemankevin.uk/tags/Docker/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Dozzle" scheme="https://freemankevin.uk/tags/Dozzle/"/>
</entry>
<entry>
<title>Docker 服务管理面板-命令行工具</title>
<link href="https://freemankevin.uk/2025/01/14/lazydocker/"/>
<id>https://freemankevin.uk/2025/01/14/lazydocker/</id>
<published>2025-01-14T06:44:25.000Z</published>
<updated>2025-01-14T07:40:22.698Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了Docker命令行管理工具lazydocker的部署与使用,包括在线安装配置、基础操作、高级功能、自动化集成等内容。通过合理配置,可以显著提升Docker服务的命令行管理效率,适合运维人员在无UI界面环境下快速管理和监控Docker服务。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li><p>系统要求:</p><ul><li>Docker >= 1.13 (API >= 1.25)</li><li>Docker-Compose >= 1.23.2 (可选)</li><li>支持架构: AMD64、ARM64</li></ul></li><li><p>环境要求:</p><ul><li>基础系统工具(curl, wget等)</li><li>Git(可选,用于源码构建)</li><li>基本终端环境</li></ul></li></ol><h3 id="在线安装"><a href="#在线安装" class="headerlink" title="在线安装"></a>在线安装</h3><ol><li><p>使用脚本安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 下载安装脚本</span></span><br><span class="line">curl -L https://raw.githubusercontent.com/jesseduffield/lazydocker/master/scripts/install_update_linux.sh | bash</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证安装</span></span><br><span class="line">lazydocker --version</span><br></pre></td></tr></table></figure></li><li><p>手动安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 获取最新版本号</span></span><br><span class="line">VERSION=$(curl -s <span class="string">"https://api.github.com/repos/jesseduffield/lazydocker/releases/latest"</span> | grep -Po <span class="string">'"tag_name": "v\K[^"]*'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 下载对应架构的二进制文件</span></span><br><span class="line">curl -Lo lazydocker.tar.gz <span class="string">"https://github.com/jesseduffield/lazydocker/releases/download/v<span class="variable">${VERSION}</span>/lazydocker_<span class="variable">${VERSION}</span>_Linux_x86_64.tar.gz"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 解压并安装</span></span><br><span class="line">tar xf lazydocker.tar.gz lazydocker</span><br><span class="line"><span class="built_in">sudo</span> install lazydocker /usr/local/bin/</span><br></pre></td></tr></table></figure></li></ol><h2 id="高级配置"><a href="#高级配置" class="headerlink" title="高级配置"></a>高级配置</h2><h3 id="基础配置文件"><a href="#基础配置文件" class="headerlink" title="基础配置文件"></a>基础配置文件</h3><ol><li><p>创建配置目录:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">mkdir</span> -p ~/.config/lazydocker</span><br></pre></td></tr></table></figure></li><li><p>基础配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># ~/.config/lazydocker/config.yml</span></span><br><span class="line"><span class="attr">gui:</span></span><br><span class="line"> <span class="attr">scrollHeight:</span> <span class="number">2</span></span><br><span class="line"> <span class="attr">language:</span> <span class="string">"auto"</span></span><br><span class="line"> <span class="attr">border:</span> <span class="string">"rounded"</span></span><br><span class="line"> <span class="attr">theme:</span></span><br><span class="line"> <span class="attr">activeBorderColor:</span> [<span class="string">"green"</span>, <span class="string">"bold"</span>]</span><br><span class="line"> <span class="attr">inactiveBorderColor:</span> [<span class="string">"white"</span>]</span><br><span class="line"> <span class="attr">selectedLineBgColor:</span> [<span class="string">"blue"</span>]</span><br><span class="line"> <span class="attr">sidePanelWidth:</span> <span class="number">0.333</span></span><br><span class="line"> <span class="attr">showBottomLine:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">expandFocusedSidePanel:</span> <span class="literal">false</span></span><br><span class="line"> <span class="attr">screenMode:</span> <span class="string">"normal"</span></span><br><span class="line"></span><br><span class="line"><span class="attr">logs:</span></span><br><span class="line"> <span class="attr">timestamps:</span> <span class="literal">false</span></span><br><span class="line"> <span class="attr">since:</span> <span class="string">'60m'</span></span><br><span class="line"> <span class="attr">tail:</span> <span class="string">'50'</span></span><br><span class="line"></span><br><span class="line"><span class="attr">stats:</span></span><br><span class="line"> <span class="attr">graphs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">caption:</span> <span class="string">CPU</span> <span class="string">(%)</span></span><br><span class="line"> <span class="attr">statPath:</span> <span class="string">DerivedStats.CPUPercentage</span></span><br><span class="line"> <span class="attr">color:</span> <span class="string">blue</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">caption:</span> <span class="string">Memory</span> <span class="string">(%)</span></span><br><span class="line"> <span class="attr">statPath:</span> <span class="string">DerivedStats.MemoryPercentage</span></span><br><span class="line"> <span class="attr">color:</span> <span class="string">green</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="高级功能配置"><a href="#高级功能配置" class="headerlink" title="高级功能配置"></a>高级功能配置</h3><ol><li><p>自定义命令模板:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">commandTemplates:</span></span><br><span class="line"> <span class="comment"># 基础服务管理</span></span><br><span class="line"> <span class="attr">dockerCompose:</span> <span class="string">docker</span> <span class="string">compose</span></span><br><span class="line"> <span class="attr">restartService:</span> <span class="string">'{{ .DockerCompose }} restart {{ .Service.Name }}'</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 高级部署命令</span></span><br><span class="line"> <span class="attr">deployWithRollback:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> {{ .DockerCompose }} pull {{ .Service.Name }} && \</span></span><br><span class="line"><span class="string"> {{ .DockerCompose }} up -d --no-deps {{ .Service.Name }}</span></span><br><span class="line"><span class="string"></span> </span><br><span class="line"> <span class="comment"># 调试命令</span></span><br><span class="line"> <span class="attr">debugService:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> {{ .DockerCompose }} exec {{ .Service.Name }} sh -c "ps aux && netstat -nltp"</span></span><br><span class="line"><span class="string"></span> </span><br><span class="line"> <span class="comment"># 性能分析</span></span><br><span class="line"> <span class="attr">profileService:</span> <span class="string">|</span></span><br><span class="line"> {{ <span class="string">.DockerCompose</span> }} <span class="string">exec</span> {{ <span class="string">.Service.Name</span> }} <span class="string">sh</span> <span class="string">-c</span> <span class="string">"top -bn1"</span></span><br></pre></td></tr></table></figure></li><li><p>监控配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">stats:</span></span><br><span class="line"> <span class="attr">graphs:</span></span><br><span class="line"> <span class="comment"># 网络监控</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">caption:</span> <span class="string">Network</span> <span class="string">I/O</span></span><br><span class="line"> <span class="attr">statPath:</span> <span class="string">DerivedStats.NetIO</span></span><br><span class="line"> <span class="attr">color:</span> <span class="string">cyan</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 磁盘监控</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">caption:</span> <span class="string">Disk</span> <span class="string">I/O</span></span><br><span class="line"> <span class="attr">statPath:</span> <span class="string">DerivedStats.BlockIO</span></span><br><span class="line"> <span class="attr">color:</span> <span class="string">yellow</span></span><br><span class="line"> </span><br><span class="line"> <span class="comment"># 自定义指标</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">caption:</span> <span class="string">Custom</span> <span class="string">Metric</span></span><br><span class="line"> <span class="attr">statPath:</span> <span class="string">Stats.CustomMetrics</span></span><br><span class="line"> <span class="attr">color:</span> <span class="string">magenta</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="功能使用"><a href="#功能使用" class="headerlink" title="功能使用"></a>功能使用</h2><h3 id="基础操作"><a href="#基础操作" class="headerlink" title="基础操作"></a>基础操作</h3><ol><li><p>导航快捷键:</p><ul><li>Tab: 切换面板</li><li>h/l: 左右移动</li><li>j/k: 上下移动</li><li>Space: 选择项目</li><li>Enter: 确认操作</li></ul></li><li><p>服务管理:</p><ul><li>r: 重启服务</li><li>s: 停止服务</li><li>u: 启动服务</li><li>b: 重建服务</li><li>l: 查看日志</li></ul></li></ol><h3 id="高级功能"><a href="#高级功能" class="headerlink" title="高级功能"></a>高级功能</h3><ol><li><p>容器调试:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 进入容器调试模式</span></span><br><span class="line">x -> e</span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看容器详细信息</span></span><br><span class="line">x -> i</span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看容器性能数据</span></span><br><span class="line">x -> s</span><br></pre></td></tr></table></figure></li><li><p>日志分析:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 实时日志跟踪</span></span><br><span class="line">m</span><br><span class="line"></span><br><span class="line"><span class="comment"># 过滤日志</span></span><br><span class="line">/ -> 输入过滤条件</span><br><span class="line"></span><br><span class="line"><span class="comment"># 导出日志</span></span><br><span class="line">x -> o</span><br></pre></td></tr></table></figure></li><li><p>性能监控:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看资源使用</span></span><br><span class="line">x -> s</span><br><span class="line"></span><br><span class="line"><span class="comment"># 导出性能数据</span></span><br><span class="line">x -> e -> 选择导出选项</span><br></pre></td></tr></table></figure></li></ol><h3 id="自动化集成"><a href="#自动化集成" class="headerlink" title="自动化集成"></a>自动化集成</h3><ol><li><p>CI/CD集成:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 检查服务状态</span></span><br><span class="line">lazydocker --check-services</span><br><span class="line"></span><br><span class="line"><span class="comment"># 自动重启服务</span></span><br><span class="line">lazydocker --restart-service servicename</span><br><span class="line"></span><br><span class="line"><span class="comment"># 健康检查</span></span><br><span class="line">lazydocker --health-check</span><br></pre></td></tr></table></figure></li><li><p>监控集成:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 导出监控数据</span></span><br><span class="line">lazydocker --export-stats</span><br><span class="line"></span><br><span class="line"><span class="comment"># 性能报告</span></span><br><span class="line">lazydocker --generate-report</span><br></pre></td></tr></table></figure></li></ol><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>日志管理:</p><ul><li>合理设置日志保留期</li><li>使用日志轮转</li><li>避免过度日志输出</li><li>实施日志压缩</li></ul></li><li><p>资源监控:</p><ul><li>设置资源告警阈值</li><li>实施容器资源限制</li><li>监控关键指标</li><li>定期清理无用资源</li></ul></li></ol><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li><p>访问控制:</p><ul><li>限制命令执行权限</li><li>实施用户认证</li><li>加密敏感配置</li><li>审计操作日志</li></ul></li><li><p>容器安全:</p><ul><li>使用最小权限原则</li><li>定期更新基础镜像</li><li>扫描安全漏洞</li><li>实施网络隔离</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>lazydocker提供了强大的命令行Docker管理能力,通过合理配置可以显著提升Docker服务的管理效率。本文档涵盖了从基础部署到高级特性的完整配置指南,建议根据实际需求选择性启用功能。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了Docker命令行管理工具lazydocker的部署与使用,包括在线安装配置、基础操作、高级功能、自动化集成等内容。通过合理配置,可以显著提升Docker服务的命令行管理效率,适合运维人员在无UI界面环境下快速管理和监控Docker服务。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Docker" scheme="https://freemankevin.uk/tags/Docker/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Lazydocker" scheme="https://freemankevin.uk/tags/Lazydocker/"/>
</entry>
<entry>
<title>Docker 服务管理面板- UI 界面部署指南</title>
<link href="https://freemankevin.uk/2025/01/14/portainer/"/>
<id>https://freemankevin.uk/2025/01/14/portainer/</id>
<published>2025-01-14T02:59:25.000Z</published>
<updated>2025-01-14T07:41:09.045Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了Docker服务管理面板 Portainer 的部署与使用,包括基础部署配置、高级特性配置、用户认证、监控集成、备份策略以及最佳实践等核心内容。文档提供了完整的配置示例和实践建议,适合运维团队搭建企业级Docker容器管理平台参考。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li><p>系统要求:</p><ul><li>CPU: 2核心及以上</li><li>内存: 4GB及以上</li><li>磁盘: 20GB及以上</li><li>网络: 100Mbps及以上</li></ul></li><li><p>环境要求:</p><ul><li>Docker 20.10.x及以上</li><li>Docker Compose 2.x及以上</li><li>服务器端口要求:<ul><li>HTTP: 9000</li><li>HTTPS: 9443(可选)</li><li>Agent: 9001</li><li>Edge: 8000(可选)</li></ul></li></ul></li></ol><h3 id="服务端部署"><a href="#服务端部署" class="headerlink" title="服务端部署"></a>服务端部署</h3><ol><li><p>创建部署目录:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">mkdir</span> -p /data/portainer/data</span><br></pre></td></tr></table></figure></li><li><p>部署配置文件:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># docker-compose.yml</span></span><br><span class="line"><span class="attr">version:</span> <span class="string">'3'</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">portainer:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">portainer/portainer-ce:latest</span></span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">portainer</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">always</span></span><br><span class="line"> <span class="attr">security_opt:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="literal">no</span><span class="string">-new-privileges:true</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/etc/localtime:/etc/localtime:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/portainer/data:/data</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"9000:9000"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"9443:9443"</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">TZ=Asia/Shanghai</span></span><br></pre></td></tr></table></figure></li><li><p>启动服务:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker-compose up -d</span><br></pre></td></tr></table></figure></li></ol><h3 id="Agent部署"><a href="#Agent部署" class="headerlink" title="Agent部署"></a>Agent部署</h3><ol><li><p>创建Agent配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># docker-compose.yml</span></span><br><span class="line"><span class="attr">version:</span> <span class="string">'3'</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">portainer_agent:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">portainer/agent:latest</span></span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">portainer_agent</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">always</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/etc/localtime:/etc/localtime:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/lib/docker/volumes:/var/lib/docker/volumes</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"9001:9001"</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">TZ=Asia/Shanghai</span></span><br></pre></td></tr></table></figure></li><li><p>启动Agent:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker-compose up -d</span><br></pre></td></tr></table></figure></li></ol><h2 id="高级配置"><a href="#高级配置" class="headerlink" title="高级配置"></a>高级配置</h2><h3 id="SSL证书配置"><a href="#SSL证书配置" class="headerlink" title="SSL证书配置"></a>SSL证书配置</h3><ol><li><p>自签名证书:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">openssl req -x509 -nodes -days 3650 \</span><br><span class="line"> -newkey rsa:2048 -keyout portainer.key \</span><br><span class="line"> -out portainer.crt</span><br></pre></td></tr></table></figure></li><li><p>证书配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">portainer:</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./portainer.crt:/certs/portainer.crt:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./portainer.key:/certs/portainer.key:ro</span></span><br><span class="line"> <span class="attr">command:</span> <span class="string">--ssl</span> <span class="string">--sslcert</span> <span class="string">/certs/portainer.crt</span> <span class="string">--sslkey</span> <span class="string">/certs/portainer.key</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="高可用配置"><a href="#高可用配置" class="headerlink" title="高可用配置"></a>高可用配置</h3><ol><li>集群模式配置:<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">version:</span> <span class="string">'3'</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">portainer1:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">portainer/portainer-ce</span></span><br><span class="line"> <span class="attr">command:</span> <span class="string">-H</span> <span class="string">tcp://tasks.agent:9001</span> <span class="string">--cluster</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"9000:9000"</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">portainer_data:/data</span></span><br><span class="line"> <span class="attr">deploy:</span></span><br><span class="line"> <span class="attr">replicas:</span> <span class="number">2</span></span><br><span class="line"> <span class="attr">placement:</span></span><br><span class="line"> <span class="attr">constraints:</span> [<span class="string">node.role</span> <span class="string">==</span> <span class="string">manager</span>]</span><br><span class="line"></span><br><span class="line"> <span class="attr">agent:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">portainer/agent</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/lib/docker/volumes:/var/lib/docker/volumes</span></span><br><span class="line"> <span class="attr">deploy:</span></span><br><span class="line"> <span class="attr">mode:</span> <span class="string">global</span></span><br><span class="line"> <span class="attr">placement:</span></span><br><span class="line"> <span class="attr">constraints:</span> [<span class="string">node.platform.os</span> <span class="string">==</span> <span class="string">linux</span>]</span><br><span class="line"></span><br><span class="line"><span class="attr">volumes:</span></span><br><span class="line"> <span class="attr">portainer_data:</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="资源限制"><a href="#资源限制" class="headerlink" title="资源限制"></a>资源限制</h3><ol><li>容器资源限制:<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">portainer:</span></span><br><span class="line"> <span class="attr">deploy:</span></span><br><span class="line"> <span class="attr">resources:</span></span><br><span class="line"> <span class="attr">limits:</span></span><br><span class="line"> <span class="attr">cpus:</span> <span class="string">'1'</span></span><br><span class="line"> <span class="attr">memory:</span> <span class="string">2G</span></span><br><span class="line"> <span class="attr">reservations:</span></span><br><span class="line"> <span class="attr">cpus:</span> <span class="string">'0.5'</span></span><br><span class="line"> <span class="attr">memory:</span> <span class="string">1G</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="功能配置"><a href="#功能配置" class="headerlink" title="功能配置"></a>功能配置</h2><h3 id="用户认证"><a href="#用户认证" class="headerlink" title="用户认证"></a>用户认证</h3><ol><li><p>LDAP集成:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">LDAP_ENABLED=true</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">LDAP_SERVER=ldap://ldap.example.com</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">LDAP_BIND_DN=cn=admin,dc=example,dc=com</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">LDAP_BIND_PASSWORD=password</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">LDAP_SEARCH_BASE=dc=example,dc=com</span></span><br></pre></td></tr></table></figure></li><li><p>OAuth2配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">OAUTH_PROVIDER=github</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">OAUTH_CLIENT_ID=your_client_id</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">OAUTH_CLIENT_SECRET=your_client_secret</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">OAUTH_SCOPES=read:org,user:email</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="监控集成"><a href="#监控集成" class="headerlink" title="监控集成"></a>监控集成</h3><ol><li><p>Prometheus集成:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">portainer:</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"prometheus.enable=true"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"prometheus.port=9000"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"prometheus.path=/metrics"</span></span><br></pre></td></tr></table></figure></li><li><p>Grafana仪表板配置:</p><figure class="highlight json"><table><tr><td class="code"><pre><span class="line"><span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"dashboard"</span><span class="punctuation">:</span> <span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"id"</span><span class="punctuation">:</span> <span class="literal"><span class="keyword">null</span></span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"title"</span><span class="punctuation">:</span> <span class="string">"Portainer Dashboard"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"tags"</span><span class="punctuation">:</span> <span class="punctuation">[</span><span class="string">"docker"</span><span class="punctuation">,</span> <span class="string">"portainer"</span><span class="punctuation">]</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"timezone"</span><span class="punctuation">:</span> <span class="string">"browser"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"panels"</span><span class="punctuation">:</span> <span class="punctuation">[</span></span><br><span class="line"> <span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"title"</span><span class="punctuation">:</span> <span class="string">"Container CPU Usage"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"type"</span><span class="punctuation">:</span> <span class="string">"graph"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"datasource"</span><span class="punctuation">:</span> <span class="string">"Prometheus"</span></span><br><span class="line"> <span class="punctuation">}</span></span><br><span class="line"> <span class="punctuation">]</span></span><br><span class="line"> <span class="punctuation">}</span></span><br><span class="line"><span class="punctuation">}</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="备份策略"><a href="#备份策略" class="headerlink" title="备份策略"></a>备份策略</h3><ol><li>数据备份脚本:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line">BACKUP_DIR=<span class="string">"/backup/portainer"</span></span><br><span class="line">DATE=$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建备份目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份数据</span></span><br><span class="line">tar czf <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>/portainer_data.tar.gz /data/portainer/data/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理旧备份</span></span><br><span class="line">find <span class="variable">${BACKUP_DIR}</span> -<span class="built_in">type</span> d -mtime +30 -<span class="built_in">exec</span> <span class="built_in">rm</span> -rf {} \;</span><br></pre></td></tr></table></figure></li></ol><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li><p>访问控制:</p><ul><li>启用HTTPS</li><li>配置防火墙规则</li><li>实施IP白名单</li><li>启用双因素认证</li></ul></li><li><p>容器安全:</p><ul><li>限制容器资源</li><li>使用非root用户</li><li>配置安全选项</li><li>定期更新镜像</li></ul></li></ol><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>系统优化:</p><ul><li>使用SSD存储</li><li>调整系统参数</li><li>配置日志轮转</li><li>优化网络设置</li></ul></li><li><p>容器优化:</p><ul><li>合理分配资源</li><li>使用数据卷</li><li>优化镜像大小</li><li>配置健康检查</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Portainer提供了直观的Docker管理界面,通过合理配置可以满足企业级容器管理需求。本文档涵盖了从基础部署到高级特性的完整配置指南,建议根据实际需求选择性启用功能。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 本文详细介绍了Docker服务管理面板 Portainer 的部署与使用,包括基础部署配置、高级特性配置、用户认证、监控集成、备份策略以及最佳实践等核心内容。文档提供了完整的配置示例和实践建议,适合运维团队搭建企业级Docker容器管理平台参考。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Portainer" scheme="https://freemankevin.uk/tags/Portainer/"/>
</entry>
<entry>
<title>Prometheus 部署与使用教程</title>
<link href="https://freemankevin.uk/2025/01/13/prometheus/"/>
<id>https://freemankevin.uk/2025/01/13/prometheus/</id>
<published>2025-01-13T09:59:25.000Z</published>
<updated>2025-01-14T08:09:30.939Z</updated>
<content type="html"><![CDATA[<p> 本文详细介绍了 Prometheus 监控系统的部署与使用,包括基础部署配置、高级特性配置、告警配置、监控指标以及最佳实践等核心内容。文档提供了丰富的配置示例和实践建议,特别深入介绍了高可用部署、联邦集群、告警抑制机制等企业级特性,适合运维团队搭建企业级监控告警平台参考。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li><p>系统要求:</p><ul><li>CPU: 4核心及以上</li><li>内存: 8GB及以上</li><li>磁盘: 50GB及以上(建议SSD)</li><li>网络: 100Mbps及以上</li></ul></li><li><p>环境要求:</p><ul><li>Docker 20.10.x及以上</li><li>Docker Compose 2.x及以上</li><li>服务器端口要求:<ul><li>Prometheus: 9090</li><li>Grafana: 3000</li><li>Node Exporter: 9100</li><li>AlertManager: 9093</li><li>Thanos: 10901(可选)</li><li>确保以上端口未被占用</li></ul></li></ul></li></ol><h3 id="组件说明"><a href="#组件说明" class="headerlink" title="组件说明"></a>组件说明</h3><ol><li><p>核心组件:</p><ul><li>Prometheus Server: 监控数据采集和存储</li><li>Grafana: 数据可视化平台</li><li>Node Exporter: 主机监控数据采集</li><li>AlertManager: 告警管理</li><li>Thanos: 大规模部署方案(可选)</li></ul></li><li><p>版本选择:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">versions:</span></span><br><span class="line"> <span class="attr">prometheus:</span> <span class="string">v2.45.6</span></span><br><span class="line"> <span class="attr">grafana:</span> <span class="number">9.5</span><span class="number">.20</span></span><br><span class="line"> <span class="attr">node_exporter:</span> <span class="string">v1.8.1</span></span><br><span class="line"> <span class="attr">alertmanager:</span> <span class="string">v0.25.0</span></span><br><span class="line"> <span class="attr">thanos:</span> <span class="string">v0.32.0</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="基础配置"><a href="#基础配置" class="headerlink" title="基础配置"></a>基础配置</h3><ol><li><p>Prometheus配置文件:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># prometheus.yml</span></span><br><span class="line"><span class="attr">global:</span></span><br><span class="line"> <span class="attr">scrape_interval:</span> <span class="string">15s</span></span><br><span class="line"> <span class="attr">evaluation_interval:</span> <span class="string">15s</span></span><br><span class="line"> <span class="attr">scrape_timeout:</span> <span class="string">10s</span></span><br><span class="line"> <span class="attr">external_labels:</span></span><br><span class="line"> <span class="attr">cluster:</span> <span class="string">'prod'</span></span><br><span class="line"> <span class="attr">replica:</span> <span class="string">'replica1'</span></span><br><span class="line"></span><br><span class="line"><span class="attr">rule_files:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"rules/*.yml"</span></span><br><span class="line"></span><br><span class="line"><span class="attr">alerting:</span></span><br><span class="line"> <span class="attr">alertmanagers:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span> [<span class="string">'alertmanager:9093'</span>]</span><br><span class="line"></span><br><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'prometheus'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span> [<span class="string">'localhost:9090'</span>]</span><br><span class="line"></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'node-exporter'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span> [<span class="string">'node-exporter:9100'</span>]</span><br></pre></td></tr></table></figure></li><li><p>Docker Compose配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">prometheus:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">prom/prometheus:v2.45.6</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./prometheus.yml:/etc/prometheus/prometheus.yml</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./rules:/etc/prometheus/rules</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/prometheus-data:/prometheus</span></span><br><span class="line"> <span class="attr">command:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--config.file=/etc/prometheus/prometheus.yml'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--storage.tsdb.path=/prometheus'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--storage.tsdb.retention.time=90d'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--web.enable-lifecycle'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--web.enable-admin-api'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--enable-feature=exemplar-storage'</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'9090:9090'</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br><span class="line"> <span class="attr">networks:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">monitoring</span></span><br><span class="line"></span><br><span class="line"> <span class="attr">grafana:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">grafana/grafana:9.5.20</span></span><br><span class="line"> <span class="attr">user:</span> <span class="string">"472:472"</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'3000:3000'</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/grafana-data:/var/lib/grafana</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./grafana/provisioning:/etc/grafana/provisioning</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">GF_SECURITY_ADMIN_PASSWORD=admin</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">GF_USERS_ALLOW_SIGN_UP=false</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">GF_AUTH_ANONYMOUS_ENABLED=false</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">GF_INSTALL_PLUGINS=grafana-piechart-panel,grafana-worldmap-panel</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br><span class="line"> <span class="attr">networks:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">monitoring</span></span><br><span class="line"></span><br><span class="line"> <span class="attr">node-exporter:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">prom/node-exporter:v1.8.1</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/proc:/host/proc:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/sys:/host/sys:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/:/rootfs:ro</span></span><br><span class="line"> <span class="attr">command:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--path.procfs=/host/proc'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--path.sysfs=/host/sys'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|host|etc)($$|/)'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--collector.systemd'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--collector.processes'</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'9100:9100'</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br><span class="line"> <span class="attr">networks:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">monitoring</span></span><br><span class="line"></span><br><span class="line"> <span class="attr">alertmanager:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">prom/alertmanager:v0.25.0</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./alertmanager:/etc/alertmanager</span></span><br><span class="line"> <span class="attr">command:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--config.file=/etc/alertmanager/config.yml'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--storage.path=/alertmanager'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'--cluster.listen-address=0.0.0.0:9094'</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'9093:9093'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'9094:9094'</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br><span class="line"> <span class="attr">networks:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">monitoring</span></span><br><span class="line"></span><br><span class="line"><span class="attr">networks:</span></span><br><span class="line"> <span class="attr">monitoring:</span></span><br><span class="line"> <span class="attr">driver:</span> <span class="string">bridge</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="目录准备"><a href="#目录准备" class="headerlink" title="目录准备"></a>目录准备</h3><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建必要目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p /data/{grafana-data,prometheus-data} \</span><br><span class="line"> ./rules/{recording,alerting} \</span><br><span class="line"> ./grafana/provisioning/{datasources,dashboards} \</span><br><span class="line"> ./alertmanager</span><br><span class="line"></span><br><span class="line"><span class="comment"># 设置权限</span></span><br><span class="line"><span class="built_in">chown</span> -R 472:472 /data/grafana-data</span><br><span class="line"><span class="built_in">chown</span> -R nobody:nobody /data/prometheus-data</span><br></pre></td></tr></table></figure><h2 id="高级特性配置"><a href="#高级特性配置" class="headerlink" title="高级特性配置"></a>高级特性配置</h2><h3 id="高可用部署"><a href="#高可用部署" class="headerlink" title="高可用部署"></a>高可用部署</h3><ol><li><p>Thanos集成配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># thanos-sidecar.yaml</span></span><br><span class="line"><span class="attr">thanos:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">thanosio/thanos:v0.32.0</span></span><br><span class="line"> <span class="attr">args:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"sidecar"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"--tsdb.path=/prometheus"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"--prometheus.url=http://localhost:9090"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"--objstore.config-file=/etc/thanos/storage.yml"</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./thanos-storage.yml:/etc/thanos/storage.yml</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># thanos-storage.yml</span></span><br><span class="line"><span class="attr">type:</span> <span class="string">S3</span></span><br><span class="line"><span class="attr">config:</span></span><br><span class="line"> <span class="attr">bucket:</span> <span class="string">"thanos-metrics"</span></span><br><span class="line"> <span class="attr">endpoint:</span> <span class="string">"minio:9000"</span></span><br><span class="line"> <span class="attr">access_key:</span> <span class="string">"admin"</span></span><br><span class="line"> <span class="attr">secret_key:</span> <span class="string">"password"</span></span><br><span class="line"> <span class="attr">insecure:</span> <span class="literal">true</span></span><br></pre></td></tr></table></figure></li><li><p>集群配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># prometheus-ha.yml</span></span><br><span class="line"><span class="attr">global:</span></span><br><span class="line"> <span class="attr">external_labels:</span></span><br><span class="line"> <span class="attr">cluster:</span> <span class="string">'cluster1'</span></span><br><span class="line"> <span class="attr">replica:</span> <span class="string">'replica1'</span></span><br><span class="line"></span><br><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'prometheus'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'prometheus-1:9090'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'prometheus-2:9090'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'prometheus-3:9090'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 高可用规则</span></span><br><span class="line"><span class="attr">rule_files:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"rules/ha/*.yml"</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="联邦集群配置"><a href="#联邦集群配置" class="headerlink" title="联邦集群配置"></a>联邦集群配置</h3><ol><li><p>全局Prometheus配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># prometheus-global.yml</span></span><br><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'federate'</span></span><br><span class="line"> <span class="attr">scrape_interval:</span> <span class="string">15s</span></span><br><span class="line"> <span class="attr">honor_labels:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">metrics_path:</span> <span class="string">'/federate'</span></span><br><span class="line"> <span class="attr">params:</span></span><br><span class="line"> <span class="string">'match[]'</span><span class="string">:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'{job=~".+"}'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'prometheus-dc1:9090'</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'prometheus-dc2:9090'</span></span><br></pre></td></tr></table></figure></li><li><p>分层联邦:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 层级结构配置</span></span><br><span class="line"><span class="attr">federation_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'upper_federation'</span></span><br><span class="line"> <span class="attr">scrape_interval:</span> <span class="string">30s</span></span><br><span class="line"> <span class="attr">metrics_path:</span> <span class="string">'/federate'</span></span><br><span class="line"> <span class="attr">params:</span></span><br><span class="line"> <span class="string">'match[]'</span><span class="string">:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'{__name__=~"job:.+"}'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'prometheus-global:9090'</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="服务发现配置"><a href="#服务发现配置" class="headerlink" title="服务发现配置"></a>服务发现配置</h3><ol><li><p>Kubernetes服务发现:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'kubernetes-nodes'</span></span><br><span class="line"> <span class="attr">kubernetes_sd_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">role:</span> <span class="string">node</span></span><br><span class="line"> <span class="attr">api_server:</span> <span class="string">https://kubernetes.default.svc:443</span></span><br><span class="line"> <span class="attr">tls_config:</span></span><br><span class="line"> <span class="attr">ca_file:</span> <span class="string">/var/run/secrets/kubernetes.io/serviceaccount/ca.crt</span></span><br><span class="line"> <span class="attr">bearer_token_file:</span> <span class="string">/var/run/secrets/kubernetes.io/serviceaccount/token</span></span><br><span class="line"> <span class="attr">relabel_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source_labels:</span> [<span class="string">__meta_kubernetes_node_name</span>]</span><br><span class="line"> <span class="attr">target_label:</span> <span class="string">node</span></span><br></pre></td></tr></table></figure></li><li><p>Consul服务发现:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'consul-services'</span></span><br><span class="line"> <span class="attr">consul_sd_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">server:</span> <span class="string">'consul:8500'</span></span><br><span class="line"> <span class="attr">services:</span> [<span class="string">'web'</span>, <span class="string">'api'</span>]</span><br><span class="line"> <span class="attr">relabel_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source_labels:</span> [<span class="string">__meta_consul_service</span>]</span><br><span class="line"> <span class="attr">target_label:</span> <span class="string">service</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="存储优化配置"><a href="#存储优化配置" class="headerlink" title="存储优化配置"></a>存储优化配置</h3><ol><li><p>TSDB优化:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">storage:</span></span><br><span class="line"> <span class="attr">tsdb:</span></span><br><span class="line"> <span class="comment"># 块压缩</span></span><br><span class="line"> <span class="attr">compression:</span> <span class="string">"snappy"</span></span><br><span class="line"> <span class="comment"># 最大块持续时间</span></span><br><span class="line"> <span class="attr">block_duration:</span> <span class="string">"2h"</span></span><br><span class="line"> <span class="comment"># WAL段大小</span></span><br><span class="line"> <span class="attr">wal_segment_size:</span> <span class="string">"128MB"</span></span><br><span class="line"> <span class="comment"># 保留策略</span></span><br><span class="line"> <span class="attr">retention:</span></span><br><span class="line"> <span class="attr">size:</span> <span class="string">"500GB"</span></span><br><span class="line"> <span class="attr">time:</span> <span class="string">"90d"</span></span><br><span class="line"> <span class="comment"># 并发写入</span></span><br><span class="line"> <span class="attr">write_queue_size:</span> <span class="number">20000</span></span><br><span class="line"> <span class="comment"># 内存映射</span></span><br><span class="line"> <span class="attr">memory_mapped:</span> <span class="literal">true</span></span><br></pre></td></tr></table></figure></li><li><p>远程存储集成:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">remote_write:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">url:</span> <span class="string">"http://victoriametrics:8428/api/v1/write"</span></span><br><span class="line"> <span class="attr">queue_config:</span></span><br><span class="line"> <span class="attr">max_samples_per_send:</span> <span class="number">10000</span></span><br><span class="line"> <span class="attr">capacity:</span> <span class="number">500000</span></span><br><span class="line"> <span class="attr">max_shards:</span> <span class="number">10</span></span><br><span class="line"></span><br><span class="line"><span class="attr">remote_read:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">url:</span> <span class="string">"http://victoriametrics:8428/api/v1/read"</span></span><br><span class="line"> <span class="attr">read_recent:</span> <span class="literal">true</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="告警配置"><a href="#告警配置" class="headerlink" title="告警配置"></a>告警配置</h2><h3 id="基础告警规则"><a href="#基础告警规则" class="headerlink" title="基础告警规则"></a>基础告警规则</h3><ol><li><p>主机监控规则:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># rules/host_alerts.yml</span></span><br><span class="line"><span class="attr">groups:</span></span><br><span class="line"><span class="bullet">-</span> <span class="attr">name:</span> <span class="string">host_alerts</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">alert:</span> <span class="string">HighCPUUsage</span></span><br><span class="line"> <span class="attr">expr:</span> <span class="number">100</span> <span class="bullet">-</span> <span class="string">(avg</span> <span class="string">by(instance)</span> <span class="string">(rate(node_cpu_seconds_total{mode="idle"}[5m]))</span> <span class="string">*</span> <span class="number">100</span><span class="string">)</span> <span class="string">></span> <span class="number">80</span></span><br><span class="line"> <span class="attr">for:</span> <span class="string">5m</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">warning</span></span><br><span class="line"> <span class="attr">annotations:</span></span><br><span class="line"> <span class="attr">summary:</span> <span class="string">"High CPU usage on <span class="template-variable">{{ $labels.instance }}</span>"</span></span><br><span class="line"> <span class="attr">description:</span> <span class="string">"CPU usage is above 80% for 5 minutes"</span></span><br><span class="line"></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">alert:</span> <span class="string">HighMemoryUsage</span></span><br><span class="line"> <span class="attr">expr:</span> <span class="string">(node_memory_MemTotal_bytes</span> <span class="bullet">-</span> <span class="string">node_memory_MemAvailable_bytes)</span> <span class="string">/</span> <span class="string">node_memory_MemTotal_bytes</span> <span class="string">*</span> <span class="number">100</span> <span class="string">></span> <span class="number">85</span></span><br><span class="line"> <span class="attr">for:</span> <span class="string">5m</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">warning</span></span><br><span class="line"> <span class="attr">annotations:</span></span><br><span class="line"> <span class="attr">summary:</span> <span class="string">"High memory usage on <span class="template-variable">{{ $labels.instance }}</span>"</span></span><br></pre></td></tr></table></figure></li><li><p>服务监控规则:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># rules/service_alerts.yml</span></span><br><span class="line"><span class="attr">groups:</span></span><br><span class="line"><span class="bullet">-</span> <span class="attr">name:</span> <span class="string">service_alerts</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">alert:</span> <span class="string">ServiceDown</span></span><br><span class="line"> <span class="attr">expr:</span> <span class="string">up</span> <span class="string">==</span> <span class="number">0</span></span><br><span class="line"> <span class="attr">for:</span> <span class="string">1m</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">critical</span></span><br><span class="line"> <span class="attr">annotations:</span></span><br><span class="line"> <span class="attr">summary:</span> <span class="string">"Service <span class="template-variable">{{ $labels.job }}</span> is down"</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="告警抑制配置"><a href="#告警抑制配置" class="headerlink" title="告警抑制配置"></a>告警抑制配置</h3><ol><li><p>基础抑制规则:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># alertmanager/config.yml</span></span><br><span class="line"><span class="attr">inhibit_rules:</span></span><br><span class="line"> <span class="comment"># 当出现严重告警时,抑制相关的警告级别告警</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source_match:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">'critical'</span></span><br><span class="line"> <span class="attr">target_match:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">'warning'</span></span><br><span class="line"> <span class="attr">equal:</span> [<span class="string">'alertname'</span>, <span class="string">'cluster'</span>, <span class="string">'service'</span>]</span><br><span class="line"></span><br><span class="line"> <span class="comment"># 当出现集群级告警时,抑制相关的节点级告警</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source_match:</span></span><br><span class="line"> <span class="attr">scope:</span> <span class="string">'cluster'</span></span><br><span class="line"> <span class="attr">target_match:</span></span><br><span class="line"> <span class="attr">scope:</span> <span class="string">'node'</span></span><br><span class="line"> <span class="attr">equal:</span> [<span class="string">'cluster'</span>, <span class="string">'instance'</span>]</span><br></pre></td></tr></table></figure></li><li><p>场景抑制配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">inhibit_rules:</span></span><br><span class="line"> <span class="comment"># 数据库主从切换场景</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source_match:</span></span><br><span class="line"> <span class="attr">alertname:</span> <span class="string">'DatabaseFailover'</span></span><br><span class="line"> <span class="attr">status:</span> <span class="string">'switching'</span></span><br><span class="line"> <span class="attr">target_match_re:</span></span><br><span class="line"> <span class="attr">alertname:</span> <span class="string">'DatabaseHighLatency|DatabaseConnectionError'</span></span><br><span class="line"> <span class="attr">equal:</span> [<span class="string">'database_cluster'</span>]</span><br><span class="line"></span><br><span class="line"> <span class="comment"># 网络故障场景</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source_match:</span></span><br><span class="line"> <span class="attr">alertname:</span> <span class="string">'NetworkOutage'</span></span><br><span class="line"> <span class="attr">target_match_re:</span></span><br><span class="line"> <span class="attr">alertname:</span> <span class="string">'ServiceDown|EndpointDown'</span></span><br><span class="line"> <span class="attr">equal:</span> [<span class="string">'datacenter'</span>, <span class="string">'rack'</span>]</span><br></pre></td></tr></table></figure></li></ol><h3 id="消息通知集成"><a href="#消息通知集成" class="headerlink" title="消息通知集成"></a>消息通知集成</h3><ol><li><p>钉钉告警配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">receivers:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">'dingtalk'</span></span><br><span class="line"> <span class="attr">webhook_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">url:</span> <span class="string">'http://dingtalk-webhook:8060/dingtalk/webhook1/send'</span></span><br><span class="line"> <span class="attr">send_resolved:</span> <span class="literal">true</span></span><br></pre></td></tr></table></figure></li><li><p>企业微信告警配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">receivers:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">'wechat'</span></span><br><span class="line"> <span class="attr">wechat_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">corp_id:</span> <span class="string">'ww92940f************************'</span></span><br><span class="line"> <span class="attr">api_url:</span> <span class="string">'https://qyapi.weixin.qq.com/cgi-bin/'</span></span><br><span class="line"> <span class="attr">api_secret:</span> <span class="string">'Th6******************************************'</span></span><br><span class="line"> <span class="attr">to_party:</span> <span class="string">'1'</span></span><br><span class="line"> <span class="attr">agent_id:</span> <span class="string">'1000001'</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="监控指标"><a href="#监控指标" class="headerlink" title="监控指标"></a>监控指标</h2><h3 id="系统监控"><a href="#系统监控" class="headerlink" title="系统监控"></a>系统监控</h3><ol><li><p>主机指标:</p><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line"># CPU使用率</span><br><span class="line">100 - (avg by (instance) (rate(node_cpu_seconds_total{mode="idle"}[5m])) * 100)</span><br><span class="line"></span><br><span class="line"># 内存使用率</span><br><span class="line">(node_memory_MemTotal_bytes - node_memory_MemAvailable_bytes) / node_memory_MemTotal_bytes * 100</span><br><span class="line"></span><br><span class="line"># 磁盘使用率</span><br><span class="line">100 - ((node_filesystem_avail_bytes * 100) / node_filesystem_size_bytes)</span><br></pre></td></tr></table></figure></li><li><p>容器指标:</p><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line"># 容器CPU使用率</span><br><span class="line">sum(rate(container_cpu_usage_seconds_total[5m])) by (container_name)</span><br><span class="line"></span><br><span class="line"># 容器内存使用</span><br><span class="line">container_memory_usage_bytes{container_name!=""}</span><br></pre></td></tr></table></figure></li></ol><h3 id="应用监控"><a href="#应用监控" class="headerlink" title="应用监控"></a>应用监控</h3><ol><li>服务指标:<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line"># 请求总量</span><br><span class="line">rate(http_requests_total[5m])</span><br><span class="line"></span><br><span class="line"># 错误率</span><br><span class="line">sum(rate(http_requests_total{status=~"5.."}[5m])) / sum(rate(http_requests_total[5m])) * 100</span><br></pre></td></tr></table></figure></li></ol><h2 id="运维管理"><a href="#运维管理" class="headerlink" title="运维管理"></a>运维管理</h2><h3 id="备份策略"><a href="#备份策略" class="headerlink" title="备份策略"></a>备份策略</h3><ol><li>数据备份:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line">BACKUP_DIR=<span class="string">"/backup/prometheus"</span></span><br><span class="line">DATE=$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建备份目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份数据</span></span><br><span class="line">tar czf <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>/prometheus_data.tar.gz /data/prometheus-data/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理旧备份</span></span><br><span class="line">find <span class="variable">${BACKUP_DIR}</span> -<span class="built_in">type</span> d -mtime +30 -<span class="built_in">exec</span> <span class="built_in">rm</span> -rf {} \;</span><br></pre></td></tr></table></figure></li></ol><h3 id="监控告警"><a href="#监控告警" class="headerlink" title="监控告警"></a>监控告警</h3><ol><li>系统监控:<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># rules/system_alerts.yml</span></span><br><span class="line"><span class="attr">groups:</span></span><br><span class="line"><span class="bullet">-</span> <span class="attr">name:</span> <span class="string">system_alerts</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">alert:</span> <span class="string">HighLoad</span></span><br><span class="line"> <span class="attr">expr:</span> <span class="string">node_load1</span> <span class="string">></span> <span class="number">10</span></span><br><span class="line"> <span class="attr">for:</span> <span class="string">5m</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">warning</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>采集优化:</p><ul><li>合理设置采集间隔</li><li>使用适当的采集超时</li><li>优化标签数量</li><li>实施采集过滤</li></ul></li><li><p>存储优化:</p><ul><li>配置合适的保留期</li><li>使用压缩功能</li><li>实施数据下采样</li><li>配置远程存储</li></ul></li></ol><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li><p>访问控制:</p><ul><li>启用认证</li><li>配置TLS</li><li>实施RBAC</li><li>限制网络访问</li></ul></li><li><p>数据安全:</p><ul><li>定期备份</li><li>加密敏感数据</li><li>审计日志</li><li>漏洞扫描</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Prometheus是一个强大的开源监控系统,通过合理配置和使用,可以为团队提供全面的监控和告警服务。本文档涵盖了从基础部署到高级特性的完整配置指南,建议根据实际需求选择性地启用功能,并持续优化监控策略。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;本文详细介绍了 Prometheus 监控系统的部署与使用,包括基础部署配置、高级特性配置、告警配置、监控指标以及最佳实践等核心内容。文档提供了丰富的配置示例和实践建议,特别深入介绍了高可用部署、联邦集群、告警抑制机制等企业级特性,适合运维团队搭建企业级监控告警平台参考。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Prometheus" scheme="https://freemankevin.uk/tags/Prometheus/"/>
</entry>
<entry>
<title>Harbor 部署与使用教程</title>
<link href="https://freemankevin.uk/2025/01/13/harbor/"/>
<id>https://freemankevin.uk/2025/01/13/harbor/</id>
<published>2025-01-13T09:57:25.000Z</published>
<updated>2025-01-13T08:57:40.430Z</updated>
<content type="html"><![CDATA[<p> 本篇文章详细介绍了Harbor企业级容器镜像仓库的部署与使用教程,包括基础部署配置、系统配置、高级特性配置、企业级特性、运维管理等核心内容。文档提供了丰富的配置示例和最佳实践建议,涵盖了从基础部署到企业级应用的完整指南,适合DevOps工程师和运维团队参考,帮助搭建安全可靠的容器镜像管理平台。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li><p>系统要求:</p><ul><li>CPU: 4核心及以上</li><li>内存: 8GB及以上</li><li>磁盘: 100GB及以上(建议SSD)</li><li>网络: 100Mbps及以上</li></ul></li><li><p>环境要求:</p><ul><li>Docker 20.10.x及以上</li><li>Docker Compose 2.x及以上</li><li>服务器端口要求:<ul><li>HTTP: 80(默认)</li><li>HTTPS: 443(默认)</li><li>确保以上端口未被占用</li></ul></li></ul></li></ol><h3 id="安装配置"><a href="#安装配置" class="headerlink" title="安装配置"></a>安装配置</h3><ol><li><p>下载并解压Harbor:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 下载离线安装包</span></span><br><span class="line">wget https://github.com/goharbor/harbor/releases/download/v2.10.3/harbor-offline-installer-v2.10.3.tgz</span><br><span class="line"></span><br><span class="line"><span class="comment"># 解压文件</span></span><br><span class="line">tar xf harbor-offline-installer-v2.10.3.tgz</span><br><span class="line"><span class="built_in">cd</span> harbor/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 导入镜像</span></span><br><span class="line">docker load -i harbor.v2.10.3.tar.gz</span><br></pre></td></tr></table></figure></li><li><p>配置Harbor:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 复制配置模板</span></span><br><span class="line"><span class="built_in">cp</span> harbor.yml.tmpl harbor.yml</span><br><span class="line"></span><br><span class="line"><span class="comment"># 修改配置文件</span></span><br><span class="line"><span class="built_in">cat</span> > harbor.yml << <span class="string">EOF</span></span><br><span class="line"><span class="string">hostname: harbor.example.com # 修改为实际域名</span></span><br><span class="line"><span class="string">http:</span></span><br><span class="line"><span class="string"> port: 80</span></span><br><span class="line"><span class="string">data_volume: /data/harbor/data</span></span><br><span class="line"><span class="string">harbor_admin_password: Harbor12345 # 修改默认密码</span></span><br><span class="line"><span class="string">database:</span></span><br><span class="line"><span class="string"> password: root123</span></span><br><span class="line"><span class="string"> max_idle_conns: 100</span></span><br><span class="line"><span class="string"> max_open_conns: 900</span></span><br><span class="line"><span class="string">storage_service:</span></span><br><span class="line"><span class="string"> ca_bundle: /etc/docker/certs.d/harbor.example.com/ca.crt</span></span><br><span class="line"><span class="string"> token_service:</span></span><br><span class="line"><span class="string"> issuer: harbor-token-issuer</span></span><br><span class="line"><span class="string"> expiration: 30</span></span><br><span class="line"><span class="string">log:</span></span><br><span class="line"><span class="string"> level: info</span></span><br><span class="line"><span class="string"> local:</span></span><br><span class="line"><span class="string"> rotate_count: 50</span></span><br><span class="line"><span class="string"> rotate_size: 200M</span></span><br><span class="line"><span class="string"> location: /data/harbor/logs</span></span><br><span class="line"><span class="string">EOF</span></span><br></pre></td></tr></table></figure></li><li><p>准备安装环境:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 创建必要目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p /data/harbor/{data,logs,cert}</span><br><span class="line"><span class="built_in">chmod</span> 755 /data/harbor/logs</span><br><span class="line"></span><br><span class="line"><span class="comment"># 执行准备脚本</span></span><br><span class="line">./prepare</span><br></pre></td></tr></table></figure></li><li><p>启动Harbor:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 安装Harbor</span></span><br><span class="line">./install.sh</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证安装</span></span><br><span class="line">docker compose ps</span><br></pre></td></tr></table></figure></li></ol><h2 id="系统配置"><a href="#系统配置" class="headerlink" title="系统配置"></a>系统配置</h2><h3 id="基础配置"><a href="#基础配置" class="headerlink" title="基础配置"></a>基础配置</h3><ol><li><p>配置域名解析:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 添加hosts记录</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">"192.168.x.x harbor.example.com"</span> >> /etc/hosts</span><br><span class="line"></span><br><span class="line"><span class="comment"># 验证解析</span></span><br><span class="line">ping harbor.example.com</span><br></pre></td></tr></table></figure></li><li><p>登录验证:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 使用默认账号登录</span></span><br><span class="line">docker login harbor.example.com -u admin -p Harbor12345</span><br></pre></td></tr></table></figure></li></ol><h3 id="安全配置"><a href="#安全配置" class="headerlink" title="安全配置"></a>安全配置</h3><ol><li><p>创建机器人账户:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">robot_account:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">jenkins</span></span><br><span class="line"> <span class="attr">description:</span> <span class="string">"Jenkins CI/CD Integration"</span></span><br><span class="line"> <span class="attr">permissions:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">project:</span> <span class="string">"*"</span></span><br><span class="line"> <span class="attr">access:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">pull</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">push</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">delete</span></span><br><span class="line"> <span class="attr">expiration:</span> <span class="string">never</span></span><br></pre></td></tr></table></figure></li><li><p>配置用户角色:</p><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">系统角色设置:</span><br><span class="line">- 管理员(admin): 系统管理权限</span><br><span class="line">- 开发者(developer): 项目级别管理权限</span><br><span class="line">- 访客(guest): 只读权限</span><br></pre></td></tr></table></figure></li></ol><h3 id="仓库管理"><a href="#仓库管理" class="headerlink" title="仓库管理"></a>仓库管理</h3><ol><li><p>仓库策略配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">repository_policy:</span></span><br><span class="line"> <span class="attr">project_quota:</span> <span class="string">20GB</span></span><br><span class="line"> <span class="attr">retention_policy:</span></span><br><span class="line"> <span class="attr">number_of_tags:</span> <span class="number">5</span></span><br><span class="line"> <span class="attr">retention_days:</span> <span class="number">30</span></span><br><span class="line"> <span class="attr">tag_immutability:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">auto_scan:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">vulnerability_scan:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">scan_schedule:</span> <span class="string">"0 0 * * *"</span></span><br></pre></td></tr></table></figure></li><li><p>镜像清理策略:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">garbage_collection:</span></span><br><span class="line"> <span class="attr">schedule:</span> <span class="string">"0 2 * * *"</span></span><br><span class="line"> <span class="attr">delete_untagged:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">dry_run:</span> <span class="literal">false</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="高级特性配置"><a href="#高级特性配置" class="headerlink" title="高级特性配置"></a>高级特性配置</h2><h3 id="复制规则配置"><a href="#复制规则配置" class="headerlink" title="复制规则配置"></a>复制规则配置</h3><ol><li><p>跨数据中心复制:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">replication_policy:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">"dc-sync"</span></span><br><span class="line"> <span class="attr">src_registry:</span></span><br><span class="line"> <span class="attr">url:</span> <span class="string">"https://harbor-dc1.example.com"</span></span><br><span class="line"> <span class="attr">credential:</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">"secret"</span></span><br><span class="line"> <span class="attr">value:</span> <span class="string">"xxxxxx"</span></span><br><span class="line"> <span class="attr">dest_registry:</span></span><br><span class="line"> <span class="attr">url:</span> <span class="string">"https://harbor-dc2.example.com"</span></span><br><span class="line"> <span class="attr">credential:</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">"secret"</span></span><br><span class="line"> <span class="attr">value:</span> <span class="string">"xxxxxx"</span></span><br><span class="line"> <span class="attr">filters:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">type:</span> <span class="string">"name"</span></span><br><span class="line"> <span class="attr">value:</span> <span class="string">"project/**"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">type:</span> <span class="string">"tag"</span></span><br><span class="line"> <span class="attr">value:</span> <span class="string">"prod-*"</span></span><br><span class="line"> <span class="attr">trigger:</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">"scheduled"</span></span><br><span class="line"> <span class="attr">settings:</span></span><br><span class="line"> <span class="attr">cron:</span> <span class="string">"0 0 * * *"</span></span><br></pre></td></tr></table></figure></li><li><p>镜像同步策略:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">sync_policy:</span></span><br><span class="line"> <span class="attr">deletion:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">override:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">namespaces:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">source:</span> <span class="string">"project-a"</span></span><br><span class="line"> <span class="attr">destination:</span> <span class="string">"project-b"</span></span><br><span class="line"> <span class="attr">filters:</span></span><br><span class="line"> <span class="attr">repository:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"nginx/**"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"mysql/**"</span></span><br><span class="line"> <span class="attr">tag:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"v*"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"latest"</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="存储后端配置"><a href="#存储后端配置" class="headerlink" title="存储后端配置"></a>存储后端配置</h3><ol><li><p>S3存储配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">storage:</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">"s3"</span></span><br><span class="line"> <span class="attr">s3:</span></span><br><span class="line"> <span class="attr">region:</span> <span class="string">"us-east-1"</span></span><br><span class="line"> <span class="attr">bucket:</span> <span class="string">"harbor-storage"</span></span><br><span class="line"> <span class="attr">access_key:</span> <span class="string">"YOUR_ACCESS_KEY"</span></span><br><span class="line"> <span class="attr">secret_key:</span> <span class="string">"YOUR_SECRET_KEY"</span></span><br><span class="line"> <span class="attr">root_directory:</span> <span class="string">"/harbor"</span></span><br><span class="line"> <span class="attr">chunk_size:</span> <span class="number">5242880</span></span><br></pre></td></tr></table></figure></li><li><p>Swift存储配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">storage:</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">"swift"</span></span><br><span class="line"> <span class="attr">swift:</span></span><br><span class="line"> <span class="attr">username:</span> <span class="string">"admin"</span></span><br><span class="line"> <span class="attr">password:</span> <span class="string">"password"</span></span><br><span class="line"> <span class="attr">auth_url:</span> <span class="string">"https://keystone.example.com/v3"</span></span><br><span class="line"> <span class="attr">container:</span> <span class="string">"harbor"</span></span><br><span class="line"> <span class="attr">region:</span> <span class="string">"RegionOne"</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="LDAP-AD集成"><a href="#LDAP-AD集成" class="headerlink" title="LDAP/AD集成"></a>LDAP/AD集成</h3><ol><li><p>基础配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">auth_mode:</span> <span class="string">"ldap_auth"</span></span><br><span class="line"><span class="attr">ldap_url:</span> <span class="string">"ldap://openldap.example.com"</span></span><br><span class="line"><span class="attr">ldap_base_dn:</span> <span class="string">"dc=example,dc=com"</span></span><br><span class="line"><span class="attr">ldap_search_dn:</span> <span class="string">"cn=admin,dc=example,dc=com"</span></span><br><span class="line"><span class="attr">ldap_search_password:</span> <span class="string">"password"</span></span><br><span class="line"><span class="attr">ldap_filter:</span> <span class="string">"(&(objectClass=person)(uid=%s))"</span></span><br><span class="line"><span class="attr">ldap_uid:</span> <span class="string">"uid"</span></span><br><span class="line"><span class="attr">ldap_scope:</span> <span class="number">2</span></span><br><span class="line"><span class="attr">ldap_timeout:</span> <span class="number">5</span></span><br></pre></td></tr></table></figure></li><li><p>高级同步配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">ldap_group_sync:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">cron:</span> <span class="string">"0 0 * * *"</span></span><br><span class="line"> <span class="attr">group_base_dn:</span> <span class="string">"ou=groups,dc=example,dc=com"</span></span><br><span class="line"> <span class="attr">group_filter:</span> <span class="string">"(&(objectClass=groupOfNames))"</span></span><br><span class="line"> <span class="attr">group_name_attr:</span> <span class="string">"cn"</span></span><br><span class="line"> <span class="attr">group_member_attr:</span> <span class="string">"member"</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="企业级特性"><a href="#企业级特性" class="headerlink" title="企业级特性"></a>企业级特性</h2><h3 id="多集群管理"><a href="#多集群管理" class="headerlink" title="多集群管理"></a>多集群管理</h3><ol><li><p>Proxy Cache配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">proxy_cache:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">endpoints:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"dockerhub"</span></span><br><span class="line"> <span class="attr">url:</span> <span class="string">"https://registry-1.docker.io"</span></span><br><span class="line"> <span class="attr">username:</span> <span class="string">"username"</span></span><br><span class="line"> <span class="attr">password:</span> <span class="string">"password"</span></span><br><span class="line"> <span class="attr">patterns:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"library/*"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"bitnami/*"</span></span><br></pre></td></tr></table></figure></li><li><p>P2P分发配置:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">p2p_distribution:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">tracker_endpoints:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"udp://tracker1.example.com:6969"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"udp://tracker2.example.com:6969"</span></span><br><span class="line"> <span class="attr">seeder_config:</span></span><br><span class="line"> <span class="attr">concurrent_tasks:</span> <span class="number">5</span></span><br><span class="line"> <span class="attr">seed_ratio:</span> <span class="number">1.5</span></span><br><span class="line"> <span class="attr">bandwidth_limit:</span> <span class="string">"100M"</span></span><br></pre></td></tr></table></figure></li></ol><h3 id="容器运行时安全"><a href="#容器运行时安全" class="headerlink" title="容器运行时安全"></a>容器运行时安全</h3><ol><li><p>镜像签名验证:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">signature_verification:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">providers:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"notary"</span></span><br><span class="line"> <span class="attr">endpoint:</span> <span class="string">"https://notary.example.com"</span></span><br><span class="line"> <span class="attr">root_cert:</span> <span class="string">"/path/to/root-ca.crt"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"cosign"</span></span><br><span class="line"> <span class="attr">public_key:</span> <span class="string">"/path/to/cosign.pub"</span></span><br></pre></td></tr></table></figure></li><li><p>镜像扫描策略:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">security_scan:</span></span><br><span class="line"> <span class="attr">scanners:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"trivy"</span></span><br><span class="line"> <span class="attr">adapter_url:</span> <span class="string">"http://trivy:8080"</span></span><br><span class="line"> <span class="attr">priority:</span> <span class="number">1</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"clair"</span></span><br><span class="line"> <span class="attr">adapter_url:</span> <span class="string">"http://clair:6060"</span></span><br><span class="line"> <span class="attr">priority:</span> <span class="number">2</span></span><br><span class="line"> <span class="attr">scan_policy:</span></span><br><span class="line"> <span class="attr">severity_threshold:</span> <span class="string">"High"</span></span><br><span class="line"> <span class="attr">whitelist_expiration:</span> <span class="string">7d</span></span><br><span class="line"> <span class="attr">fail_on_findings:</span> <span class="literal">true</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="运维管理"><a href="#运维管理" class="headerlink" title="运维管理"></a>运维管理</h2><h3 id="备份策略"><a href="#备份策略" class="headerlink" title="备份策略"></a>备份策略</h3><ol><li>数据备份脚本:<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line">BACKUP_DIR=<span class="string">"/backup/harbor"</span></span><br><span class="line">DATE=$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建备份目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 停止Harbor服务</span></span><br><span class="line">docker compose down</span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份数据</span></span><br><span class="line">tar czf <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>/harbor_data.tar.gz /data/harbor/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份数据库</span></span><br><span class="line">docker compose up -d postgresql</span><br><span class="line">docker <span class="built_in">exec</span> harbor-db pg_dump -U postgres registry > <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>/registry.sql</span><br><span class="line"></span><br><span class="line"><span class="comment"># 启动Harbor服务</span></span><br><span class="line">docker compose up -d</span><br></pre></td></tr></table></figure></li></ol><h3 id="监控配置"><a href="#监控配置" class="headerlink" title="监控配置"></a>监控配置</h3><ol><li><p>Prometheus集成:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">global:</span></span><br><span class="line"> <span class="attr">scrape_interval:</span> <span class="string">15s</span></span><br><span class="line"> <span class="attr">evaluation_interval:</span> <span class="string">15s</span></span><br><span class="line"></span><br><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'harbor'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span> [<span class="string">'harbor.example.com'</span>]</span><br><span class="line"> <span class="attr">metrics_path:</span> <span class="string">'/metrics'</span></span><br></pre></td></tr></table></figure></li><li><p>告警规则:</p><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">groups:</span></span><br><span class="line"><span class="bullet">-</span> <span class="attr">name:</span> <span class="string">harbor_alerts</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">alert:</span> <span class="string">HarborHighMemoryUsage</span></span><br><span class="line"> <span class="attr">expr:</span> <span class="string">container_memory_usage_bytes{container_name=~"harbor-.*"}</span> <span class="string">></span> <span class="number">1e9</span></span><br><span class="line"> <span class="attr">for:</span> <span class="string">5m</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">warning</span></span><br><span class="line"> <span class="attr">annotations:</span></span><br><span class="line"> <span class="attr">summary:</span> <span class="string">"Harbor container high memory usage"</span></span><br></pre></td></tr></table></figure></li></ol><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li><p>系统安全:</p><ul><li>使用HTTPS访问</li><li>启用镜像签名</li><li>配置漏洞扫描</li><li>实施访问控制</li></ul></li><li><p>运维安全:</p><ul><li>定期更新版本</li><li>监控系统资源</li><li>配置自动备份</li><li>实施灾备方案</li></ul></li></ol><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>系统优化:</p><ul><li>使用SSD存储</li><li>配置合适的GC策略</li><li>优化数据库连接池</li><li>实施镜像分层策略</li></ul></li><li><p>网络优化:</p><ul><li>配置负载均衡</li><li>启用P2P分发</li><li>优化代理缓存</li><li>配置服务网格</li></ul></li></ol><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Harbor是一个企业级容器镜像仓库平台,通过合理配置和优化,可以为团队提供安全可靠的镜像管理服务。本文档涵盖了从基础部署到企业级特性的完整配置指南,建议根据实际需求选择性地启用功能,并持续关注系统的性能和安全性。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;本篇文章详细介绍了Harbor企业级容器镜像仓库的部署与使用教程,包括基础部署配置、系统配置、高级特性配置、企业级特性、运维管理等核心内容。文档提供了丰富的配置示例和最佳实践建议,涵盖了从基础部署到企业级应用的完整指南,适合DevOps工程师和运维团队参考,帮助搭建安全可靠的容器镜像管理平台。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Harbor" scheme="https://freemankevin.uk/tags/Harbor/"/>
</entry>
<entry>
<title>Gitlab-ce 部署与使用教程</title>
<link href="https://freemankevin.uk/2025/01/13/gitlab/"/>
<id>https://freemankevin.uk/2025/01/13/gitlab/</id>
<published>2025-01-13T08:45:25.000Z</published>
<updated>2025-01-13T08:42:06.239Z</updated>
<content type="html"><![CDATA[<p> 本篇文章详细介绍了GitLab-CE的部署与使用教程,包括基础部署配置、系统配置、CI/CD配置、项目管理、运维管理、高可用配置、Jenkins集成、容器镜像仓库集成以及项目协作与问题管理等核心内容。文档提供了大量实用的配置示例和最佳实践建议,适合DevOps工程师和开发团队参考,帮助搭建和优化GitLab平台,提升团队开发效率。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li><p>系统要求:</p><ul><li>CPU: 4核心及以上</li><li>内存: 8GB及以上</li><li>磁盘: 50GB及以上(建议SSD)</li><li>网络: 100Mbps及以上</li></ul></li><li><p>环境要求:</p><ul><li>Docker 已安装(20.10.x及以上)</li><li>Docker Compose 已安装(2.x及以上)</li><li>服务器端口要求:<ul><li>HTTP: 80(默认)或自定义</li><li>HTTPS: 443(默认)或自定义</li><li>SSH: 22(默认)或自定义</li><li>确保以上端口未被占用</li></ul></li></ul></li></ol><h3 id="Docker-Compose部署"><a href="#Docker-Compose部署" class="headerlink" title="Docker Compose部署"></a>Docker Compose部署</h3><ol><li>创建部署配置文件:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">gitlab:</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">always</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">gitlab/gitlab-ce:16.9.9-ce.0</span></span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">gitlab</span></span><br><span class="line"> <span class="attr">hostname:</span> <span class="string">gitlab.example.com</span> <span class="comment"># 修改为实际域名</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"9980:80"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">'9443:443'</span> </span><br><span class="line"> <span class="bullet">-</span> <span class="string">"9922:22"</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/etc/localtime:/etc/localtime:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/gitlab/config:/etc/gitlab</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/gitlab/data:/var/opt/gitlab</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/gitlab/logs:/var/log/gitlab</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="attr">TZ:</span> <span class="string">Asia/Shanghai</span></span><br><span class="line"> <span class="attr">GITLAB_OMNIBUS_CONFIG:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> external_url 'http://gitlab.example.com:9980'</span></span><br><span class="line"><span class="string"> gitlab_rails['time_zone'] = 'Asia/Shanghai'</span></span><br><span class="line"><span class="string"></span> </span><br><span class="line"> <span class="comment"># 邮件服务配置</span></span><br><span class="line"> <span class="string">gitlab_rails['smtp_enable']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"> <span class="string">gitlab_rails['gitlab_email_enabled']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"> <span class="string">gitlab_rails['incoming_email_enabled']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># 性能优化配置</span></span><br><span class="line"> <span class="string">puma['worker_processes']</span> <span class="string">=</span> <span class="number">0</span></span><br><span class="line"> <span class="string">puma['min_threads']</span> <span class="string">=</span> <span class="number">1</span></span><br><span class="line"> <span class="string">puma['max_threads']</span> <span class="string">=</span> <span class="number">2</span></span><br><span class="line"> <span class="string">sidekiq['max_concurrency']</span> <span class="string">=</span> <span class="number">5</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># 禁用不需要的服务</span></span><br><span class="line"> <span class="string">gitlab_rails['registry_enabled']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"> <span class="string">gitlab_rails['packages_enabled']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"> <span class="string">gitlab_kas['enable']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"> <span class="string">gitlab_pages['enable']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"> <span class="string">prometheus_monitoring['enable']</span> <span class="string">=</span> <span class="literal">false</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># 数据库配置</span></span><br><span class="line"> <span class="string">postgresql['shared_buffers']</span> <span class="string">=</span> <span class="string">"256MB"</span></span><br><span class="line"> <span class="string">postgresql['work_mem']</span> <span class="string">=</span> <span class="string">"8MB"</span></span><br><span class="line"> <span class="string">postgresql['maintenance_work_mem']</span> <span class="string">=</span> <span class="string">"64MB"</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Redis配置</span></span><br><span class="line"> <span class="string">redis['maxmemory']</span> <span class="string">=</span> <span class="string">"256mb"</span></span><br><span class="line"> <span class="string">redis['maxmemory_policy']</span> <span class="string">=</span> <span class="string">"allkeys-lru"</span></span><br></pre></td></tr></table></figure><ol start="2"><li>创建必要目录并设置权限:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">mkdir</span> -p /data/gitlab/{config,data,logs}</span><br><span class="line"><span class="built_in">chmod</span> 0700 /data/gitlab/logs -R </span><br><span class="line"><span class="built_in">chown</span> -R 998:998 /data/gitlab</span><br></pre></td></tr></table></figure><ol start="3"><li>启动服务:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker compose up -d</span><br><span class="line">docker compose logs -f --<span class="built_in">tail</span> 1000 gitlab</span><br></pre></td></tr></table></figure><h2 id="系统配置"><a href="#系统配置" class="headerlink" title="系统配置"></a>系统配置</h2><h3 id="初始化配置"><a href="#初始化配置" class="headerlink" title="初始化配置"></a>初始化配置</h3><ol><li>获取root初始密码:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker <span class="built_in">exec</span> -it gitlab grep <span class="string">'Password:'</span> /etc/gitlab/initial_root_password</span><br></pre></td></tr></table></figure><ol start="2"><li>访问Gitlab:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">http://<your-gitlab-ip>:9980</span><br></pre></td></tr></table></figure><h3 id="基础安全配置"><a href="#基础安全配置" class="headerlink" title="基础安全配置"></a>基础安全配置</h3><ol><li><p>修改root密码:</p><ul><li>登录后立即修改默认密码</li><li>使用强密码策略(至少12位,包含大小写字母、数字和特殊字符)</li><li>定期更换密码(建议90天)</li></ul></li><li><p>关闭注册功能:</p></li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Admin Area > Settings > General > Sign-up restrictions</span><br><span class="line">取消选中 "Sign-up enabled"</span><br></pre></td></tr></table></figure><ol start="3"><li>配置SSH密钥:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 生成SSH密钥</span></span><br><span class="line">ssh-keygen -t ed25519 -C <span class="string">"[email protected]"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 查看公钥</span></span><br><span class="line"><span class="built_in">cat</span> ~/.ssh/id_ed25519.pub</span><br><span class="line"></span><br><span class="line"><span class="comment"># 测试连接</span></span><br><span class="line">ssh -T [email protected]</span><br></pre></td></tr></table></figure><h3 id="系统优化配置"><a href="#系统优化配置" class="headerlink" title="系统优化配置"></a>系统优化配置</h3><ol><li>关闭不必要的功能:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Admin Area > Settings > General</span><br><span class="line">- 关闭Gravatar</span><br><span class="line">- 关闭AutoDevOps</span><br><span class="line">- 禁用不必要的集成功能</span><br></pre></td></tr></table></figure><ol start="2"><li>性能优化配置:</li></ol><figure class="highlight ruby"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 在GITLAB_OMNIBUS_CONFIG中添加</span></span><br><span class="line"><span class="comment"># CPU优化</span></span><br><span class="line">puma[<span class="string">'worker_processes'</span>] = (<span class="variable constant_">CPU</span>核心数 - <span class="number">1</span>)</span><br><span class="line">puma[<span class="string">'min_threads'</span>] = <span class="number">1</span></span><br><span class="line">puma[<span class="string">'max_threads'</span>] = <span class="number">4</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 内存优化</span></span><br><span class="line">unicorn[<span class="string">'worker_memory_limit_min'</span>] = <span class="string">"400MB"</span></span><br><span class="line">unicorn[<span class="string">'worker_memory_limit_max'</span>] = <span class="string">"600MB"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 缓存配置</span></span><br><span class="line">gitlab_rails[<span class="string">'redis_cache_instance'</span>] = <span class="string">"redis://:password@redis:6379/1"</span></span><br></pre></td></tr></table></figure><h2 id="CI-CD配置"><a href="#CI-CD配置" class="headerlink" title="CI/CD配置"></a>CI/CD配置</h2><h3 id="Runner配置"><a href="#Runner配置" class="headerlink" title="Runner配置"></a>Runner配置</h3><ol><li>安装GitLab Runner:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker run -d --name gitlab-runner --restart always \</span><br><span class="line"> -v /var/run/docker.sock:/var/run/docker.sock \</span><br><span class="line"> -v /srv/gitlab-runner/config:/etc/gitlab-runner \</span><br><span class="line"> gitlab/gitlab-runner:latest</span><br></pre></td></tr></table></figure><ol start="2"><li>注册Runner:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker <span class="built_in">exec</span> -it gitlab-runner gitlab-runner register \</span><br><span class="line"> --non-interactive \</span><br><span class="line"> --url <span class="string">"http://gitlab.example.com:9980"</span> \</span><br><span class="line"> --registration-token <span class="string">"PROJECT_REGISTRATION_TOKEN"</span> \</span><br><span class="line"> --executor <span class="string">"docker"</span> \</span><br><span class="line"> --docker-image alpine:latest \</span><br><span class="line"> --description <span class="string">"docker-runner"</span> \</span><br><span class="line"> --tag-list <span class="string">"docker,aws"</span> \</span><br><span class="line"> --run-untagged=<span class="string">"true"</span> \</span><br><span class="line"> --locked=<span class="string">"false"</span> \</span><br><span class="line"> --access-level=<span class="string">"not_protected"</span></span><br></pre></td></tr></table></figure><ol start="3"><li>Runner配置优化:</li></ol><figure class="highlight toml"><table><tr><td class="code"><pre><span class="line"><span class="attr">concurrent</span> = <span class="number">4</span></span><br><span class="line"><span class="attr">check_interval</span> = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="section">[[runners]]</span></span><br><span class="line"> <span class="attr">name</span> = <span class="string">"docker-runner"</span></span><br><span class="line"> <span class="attr">url</span> = <span class="string">"http://gitlab.example.com:9980"</span></span><br><span class="line"> <span class="attr">token</span> = <span class="string">"PROJECT_TOKEN"</span></span><br><span class="line"> <span class="attr">executor</span> = <span class="string">"docker"</span></span><br><span class="line"> <span class="section">[runners.docker]</span></span><br><span class="line"> <span class="attr">tls_verify</span> = <span class="literal">false</span></span><br><span class="line"> <span class="attr">image</span> = <span class="string">"alpine:latest"</span></span><br><span class="line"> <span class="attr">privileged</span> = <span class="literal">false</span></span><br><span class="line"> <span class="attr">disable_entrypoint_overwrite</span> = <span class="literal">false</span></span><br><span class="line"> <span class="attr">oom_kill_disable</span> = <span class="literal">false</span></span><br><span class="line"> <span class="attr">disable_cache</span> = <span class="literal">false</span></span><br><span class="line"> <span class="attr">volumes</span> = [<span class="string">"/cache"</span>]</span><br><span class="line"> <span class="attr">shm_size</span> = <span class="number">0</span></span><br><span class="line"> <span class="attr">pull_policy</span> = <span class="string">"if-not-present"</span></span><br></pre></td></tr></table></figure><h3 id="CI-CD-Pipeline配置"><a href="#CI-CD-Pipeline配置" class="headerlink" title="CI/CD Pipeline配置"></a>CI/CD Pipeline配置</h3><ol><li>基础Pipeline示例:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># .gitlab-ci.yml</span></span><br><span class="line"><span class="attr">image:</span> <span class="string">maven:3.8.4-openjdk-17</span></span><br><span class="line"></span><br><span class="line"><span class="attr">variables:</span></span><br><span class="line"> <span class="attr">MAVEN_OPTS:</span> <span class="string">"-Dmaven.repo.local=.m2/repository"</span></span><br><span class="line"> <span class="attr">MAVEN_CLI_OPTS:</span> <span class="string">"--batch-mode --errors --fail-at-end --show-version"</span></span><br><span class="line"></span><br><span class="line"><span class="attr">cache:</span></span><br><span class="line"> <span class="attr">paths:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">.m2/repository/</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">target/</span></span><br><span class="line"></span><br><span class="line"><span class="attr">stages:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">build</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">test</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">analyze</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">deploy</span></span><br><span class="line"></span><br><span class="line"><span class="attr">build:</span></span><br><span class="line"> <span class="attr">stage:</span> <span class="string">build</span></span><br><span class="line"> <span class="attr">script:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">mvn</span> <span class="string">$MAVEN_CLI_OPTS</span> <span class="string">clean</span> <span class="string">package</span> <span class="string">-DskipTests</span></span><br><span class="line"> <span class="attr">artifacts:</span></span><br><span class="line"> <span class="attr">paths:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">target/*.jar</span></span><br><span class="line"></span><br><span class="line"><span class="attr">test:</span></span><br><span class="line"> <span class="attr">stage:</span> <span class="string">test</span></span><br><span class="line"> <span class="attr">script:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">mvn</span> <span class="string">$MAVEN_CLI_OPTS</span> <span class="string">test</span></span><br><span class="line"> <span class="attr">artifacts:</span></span><br><span class="line"> <span class="attr">reports:</span></span><br><span class="line"> <span class="attr">junit:</span> <span class="string">target/surefire-reports/TEST-*.xml</span></span><br><span class="line"></span><br><span class="line"><span class="attr">sonarqube:</span></span><br><span class="line"> <span class="attr">stage:</span> <span class="string">analyze</span></span><br><span class="line"> <span class="attr">script:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">mvn</span> <span class="string">sonar:sonar</span></span><br><span class="line"> <span class="attr">only:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">main</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">develop</span></span><br><span class="line"></span><br><span class="line"><span class="attr">deploy:</span></span><br><span class="line"> <span class="attr">stage:</span> <span class="string">deploy</span></span><br><span class="line"> <span class="attr">script:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">./deploy.sh</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">production</span></span><br><span class="line"> <span class="attr">when:</span> <span class="string">manual</span></span><br><span class="line"> <span class="attr">only:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">main</span></span><br></pre></td></tr></table></figure><h2 id="项目管理"><a href="#项目管理" class="headerlink" title="项目管理"></a>项目管理</h2><h3 id="分支管理"><a href="#分支管理" class="headerlink" title="分支管理"></a>分支管理</h3><ol><li>分支策略:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- main: 主分支,用于生产发布</span><br><span class="line">- develop: 开发分支,用于功能集成</span><br><span class="line">- feature/*: 功能分支,用于新功能开发</span><br><span class="line">- release/*: 发布分支,用于版本发布准备</span><br><span class="line">- hotfix/*: 热修复分支,用于生产问题修复</span><br></pre></td></tr></table></figure><ol start="2"><li>分支保护规则:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Protected Branches:</span><br><span class="line">- main: </span><br><span class="line"> - 需要两人审批</span><br><span class="line"> - 禁止强制推送</span><br><span class="line"> - 需要通过所有CI检查</span><br><span class="line">- develop:</span><br><span class="line"> - 需要一人审查</span><br><span class="line"> - 需要通过基本CI检查</span><br></pre></td></tr></table></figure><h3 id="代码审查"><a href="#代码审查" class="headerlink" title="代码审查"></a>代码审查</h3><ol><li>Merge Request模板:</li></ol><figure class="highlight markdown"><table><tr><td class="code"><pre><span class="line"><span class="section">## 变更说明</span></span><br><span class="line"><span class="bullet">-</span> [ ] 功能变更</span><br><span class="line"><span class="bullet">-</span> [ ] Bug修复</span><br><span class="line"><span class="bullet">-</span> [ ] 性能优化</span><br><span class="line"><span class="bullet">-</span> [ ] 文档更新</span><br><span class="line"></span><br><span class="line"><span class="section">## 测试说明</span></span><br><span class="line"><span class="bullet">-</span> [ ] 单元测试</span><br><span class="line"><span class="bullet">-</span> [ ] 集成测试</span><br><span class="line"><span class="bullet">-</span> [ ] 性能测试</span><br><span class="line"></span><br><span class="line"><span class="section">## 检查清单</span></span><br><span class="line"><span class="bullet">-</span> [ ] 代码规范检查</span><br><span class="line"><span class="bullet">-</span> [ ] 测试用例覆盖</span><br><span class="line"><span class="bullet">-</span> [ ] 文档更新</span><br></pre></td></tr></table></figure><h2 id="运维管理"><a href="#运维管理" class="headerlink" title="运维管理"></a>运维管理</h2><h3 id="备份策略"><a href="#备份策略" class="headerlink" title="备份策略"></a>备份策略</h3><ol><li>自动备份脚本:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line">BACKUP_DIR=<span class="string">"/backup/gitlab"</span></span><br><span class="line">DATE=$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line">RETENTION_DAYS=7</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建备份</span></span><br><span class="line">docker <span class="built_in">exec</span> gitlab gitlab-backup create STRATEGY=copy</span><br><span class="line"></span><br><span class="line"><span class="comment"># 复制备份文件</span></span><br><span class="line"><span class="built_in">cp</span> /data/gitlab/data/backups/*.tar <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>/</span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理旧备份</span></span><br><span class="line">find <span class="variable">${BACKUP_DIR}</span> -<span class="built_in">type</span> d -mtime +<span class="variable">${RETENTION_DAYS}</span> -<span class="built_in">exec</span> <span class="built_in">rm</span> -rf {} \;</span><br></pre></td></tr></table></figure><ol start="2"><li>配置文件备份:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line"><span class="built_in">cp</span> -r /data/gitlab/config <span class="variable">${BACKUP_DIR}</span>/<span class="variable">${DATE}</span>/config</span><br></pre></td></tr></table></figure><h3 id="监控告警"><a href="#监控告警" class="headerlink" title="监控告警"></a>监控告警</h3><ol><li>Prometheus配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">global:</span></span><br><span class="line"> <span class="attr">scrape_interval:</span> <span class="string">15s</span></span><br><span class="line"> <span class="attr">evaluation_interval:</span> <span class="string">15s</span></span><br><span class="line"></span><br><span class="line"><span class="attr">scrape_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'gitlab'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span> [<span class="string">'gitlab.example.com:9090'</span>]</span><br></pre></td></tr></table></figure><ol start="2"><li>告警规则:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">groups:</span></span><br><span class="line"><span class="bullet">-</span> <span class="attr">name:</span> <span class="string">gitlab_alerts</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">alert:</span> <span class="string">HighCPUUsage</span></span><br><span class="line"> <span class="attr">expr:</span> <span class="string">cpu_usage_idle{job="gitlab"}</span> <span class="string"><</span> <span class="number">10</span></span><br><span class="line"> <span class="attr">for:</span> <span class="string">5m</span></span><br><span class="line"> <span class="attr">labels:</span></span><br><span class="line"> <span class="attr">severity:</span> <span class="string">warning</span></span><br><span class="line"> <span class="attr">annotations:</span></span><br><span class="line"> <span class="attr">summary:</span> <span class="string">"High CPU usage"</span></span><br></pre></td></tr></table></figure><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li><p>访问控制:</p><ul><li>使用HTTPS</li><li>启用2FA认证</li><li>实施密码策略</li><li>定期审计用户权限</li></ul></li><li><p>系统维护:</p><ul><li>定期更新版本</li><li>监控系统资源</li><li>定期清理未使用的数据</li><li>配置告警机制</li></ul></li></ol><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li><p>资源配置:</p><ul><li>根据负载调整worker数量</li><li>优化缓存配置</li><li>使用外部数据库服务</li><li>配置合适的JVM参数</li></ul></li><li><p>使用建议:</p><ul><li>合理规划项目结构</li><li>使用.gitignore过滤文件</li><li>定期清理旧分支</li><li>使用LFS存储大文件</li></ul></li></ol><h2 id="高可用配置"><a href="#高可用配置" class="headerlink" title="高可用配置"></a>高可用配置</h2><h3 id="PostgreSQL主从配置"><a href="#PostgreSQL主从配置" class="headerlink" title="PostgreSQL主从配置"></a>PostgreSQL主从配置</h3><ol><li>主节点配置:</li></ol><figure class="highlight ruby"><table><tr><td class="code"><pre><span class="line">postgresql[<span class="string">'listen_address'</span>] = <span class="string">'0.0.0.0'</span></span><br><span class="line">postgresql[<span class="string">'hot_standby'</span>] = <span class="string">'on'</span></span><br><span class="line">postgresql[<span class="string">'wal_level'</span>] = <span class="string">'replica'</span></span><br><span class="line">postgresql[<span class="string">'max_wal_senders'</span>] = <span class="number">10</span></span><br><span class="line">postgresql[<span class="string">'max_replication_slots'</span>] = <span class="number">10</span></span><br><span class="line">postgresql[<span class="string">'wal_keep_segments'</span>] = <span class="number">100</span></span><br></pre></td></tr></table></figure><ol start="2"><li>从节点配置:</li></ol><figure class="highlight ruby"><table><tr><td class="code"><pre><span class="line">postgresql[<span class="string">'enable'</span>] = <span class="literal">true</span></span><br><span class="line">postgresql[<span class="string">'listen_address'</span>] = <span class="string">'0.0.0.0'</span></span><br><span class="line">postgresql[<span class="string">'hot_standby'</span>] = <span class="string">'on'</span></span><br><span class="line">postgresql[<span class="string">'primary_conninfo'</span>] = <span class="string">'host=PRIMARY_HOST port=5432 user=gitlab_repl password=PASSWORD'</span></span><br></pre></td></tr></table></figure><h3 id="Redis集群配置"><a href="#Redis集群配置" class="headerlink" title="Redis集群配置"></a>Redis集群配置</h3><ol><li>Redis Sentinel配置:</li></ol><figure class="highlight ruby"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 主节点配置</span></span><br><span class="line">redis[<span class="string">'bind'</span>] = <span class="string">'0.0.0.0'</span></span><br><span class="line">redis[<span class="string">'port'</span>] = <span class="number">6379</span></span><br><span class="line">redis[<span class="string">'password'</span>] = <span class="string">'redis-password'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># Sentinel配置</span></span><br><span class="line">sentinel[<span class="string">'enable'</span>] = <span class="literal">true</span></span><br><span class="line">sentinel[<span class="string">'bind'</span>] = <span class="string">'0.0.0.0'</span></span><br><span class="line">sentinel[<span class="string">'port'</span>] = <span class="number">26379</span></span><br><span class="line">sentinel[<span class="string">'quorum'</span>] = <span class="number">2</span></span><br></pre></td></tr></table></figure><h3 id="负载均衡配置"><a href="#负载均衡配置" class="headerlink" title="负载均衡配置"></a>负载均衡配置</h3><ol><li>Nginx配置示例:</li></ol><figure class="highlight nginx"><table><tr><td class="code"><pre><span class="line"><span class="section">upstream</span> gitlab {</span><br><span class="line"> <span class="attribute">server</span> gitlab-<span class="number">1</span>.example.com:<span class="number">9980</span>;</span><br><span class="line"> <span class="attribute">server</span> gitlab-<span class="number">2</span>.example.com:<span class="number">9980</span>;</span><br><span class="line"> <span class="attribute">server</span> gitlab-<span class="number">3</span>.example.com:<span class="number">9980</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="section">server</span> {</span><br><span class="line"> <span class="attribute">listen</span> <span class="number">80</span>;</span><br><span class="line"> <span class="attribute">server_name</span> gitlab.example.com;</span><br><span class="line"> </span><br><span class="line"> <span class="section">location</span> / {</span><br><span class="line"> <span class="attribute">proxy_pass</span> http://gitlab;</span><br><span class="line"> <span class="attribute">proxy_set_header</span> Host <span class="variable">$host</span>;</span><br><span class="line"> <span class="attribute">proxy_set_header</span> X-Real-IP <span class="variable">$remote_addr</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="Jenkins集成"><a href="#Jenkins集成" class="headerlink" title="Jenkins集成"></a>Jenkins集成</h2><h3 id="Jenkins用户配置"><a href="#Jenkins用户配置" class="headerlink" title="Jenkins用户配置"></a>Jenkins用户配置</h3><ol><li>创建专用账号:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Admin Area > Users > New user</span><br><span class="line">- Username: jenkins-ci</span><br><span class="line">- Name: Jenkins CI</span><br><span class="line">- Access Level: Regular</span><br></pre></td></tr></table></figure><ol start="2"><li>访问令牌配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">User Settings > Access Tokens</span><br><span class="line">Name: jenkins-api-token</span><br><span class="line">Scopes:</span><br><span class="line">- api</span><br><span class="line">- read_repository</span><br><span class="line">- write_repository</span><br><span class="line">- read_registry</span><br><span class="line">- write_registry</span><br></pre></td></tr></table></figure><ol start="3"><li>Webhook配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Project Settings > Webhooks</span><br><span class="line">URL: https://jenkins.example.com/project/your-project</span><br><span class="line">Secret Token: your-secret-token</span><br><span class="line">Triggers:</span><br><span class="line">- Push events</span><br><span class="line">- Tag push events</span><br><span class="line">- Merge request events</span><br></pre></td></tr></table></figure><h3 id="Jenkins-Pipeline集成"><a href="#Jenkins-Pipeline集成" class="headerlink" title="Jenkins Pipeline集成"></a>Jenkins Pipeline集成</h3><ol><li>Jenkinsfile示例:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">pipeline {</span><br><span class="line"> agent any</span><br><span class="line"> </span><br><span class="line"> environment {</span><br><span class="line"> GITLAB_TOKEN = credentials(<span class="string">'gitlab-token'</span>)</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stages {</span><br><span class="line"> stage(<span class="string">'Checkout'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> checkout([<span class="attr">$class:</span> <span class="string">'GitSCM'</span>,</span><br><span class="line"> <span class="symbol">branches:</span> [[<span class="attr">name:</span> <span class="string">'*/main'</span>]],</span><br><span class="line"> <span class="symbol">extensions:</span> [],</span><br><span class="line"> <span class="symbol">userRemoteConfigs:</span> [[</span><br><span class="line"> <span class="symbol">url:</span> <span class="string">'https://gitlab.example.com/group/project.git'</span>,</span><br><span class="line"> <span class="symbol">credentialsId:</span> <span class="string">'gitlab-credentials'</span></span><br><span class="line"> ]]</span><br><span class="line"> ])</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stage(<span class="string">'Update Build Status'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> updateGitlabCommitStatus(<span class="attr">name:</span> <span class="string">'build'</span>, <span class="attr">state:</span> <span class="string">'running'</span>)</span><br><span class="line"> script {</span><br><span class="line"> <span class="keyword">try</span> {</span><br><span class="line"> <span class="comment">// 构建步骤</span></span><br><span class="line"> updateGitlabCommitStatus(<span class="attr">name:</span> <span class="string">'build'</span>, <span class="attr">state:</span> <span class="string">'success'</span>)</span><br><span class="line"> } <span class="keyword">catch</span> (exc) {</span><br><span class="line"> updateGitlabCommitStatus(<span class="attr">name:</span> <span class="string">'build'</span>, <span class="attr">state:</span> <span class="string">'failed'</span>)</span><br><span class="line"> <span class="keyword">throw</span> exc</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="容器镜像仓库集成"><a href="#容器镜像仓库集成" class="headerlink" title="容器镜像仓库集成"></a>容器镜像仓库集成</h2><h3 id="Harbor集成配置"><a href="#Harbor集成配置" class="headerlink" title="Harbor集成配置"></a>Harbor集成配置</h3><ol><li>全局变量配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Admin Area > Settings > CI/CD > Variables</span><br><span class="line">添加以下变量:</span><br><span class="line">- HARBOR_URL: https://harbor.example.com</span><br><span class="line">- HARBOR_USERNAME: harbor-user</span><br><span class="line">- HARBOR_PASSWORD: harbor-password</span><br><span class="line">- HARBOR_PROJECT: project-name</span><br></pre></td></tr></table></figure><ol start="2"><li>CI/CD配置示例:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">variables:</span></span><br><span class="line"> <span class="attr">DOCKER_TLS_CERTDIR:</span> <span class="string">""</span></span><br><span class="line"> <span class="attr">HARBOR_IMAGE:</span> <span class="string">${HARBOR_URL}/${HARBOR_PROJECT}/${CI_PROJECT_NAME}</span></span><br><span class="line"></span><br><span class="line"><span class="string">.docker_login:</span> <span class="meta">&docker_login</span></span><br><span class="line"> <span class="attr">before_script:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">docker</span> <span class="string">login</span> <span class="string">-u</span> <span class="string">${HARBOR_USERNAME}</span> <span class="string">-p</span> <span class="string">${HARBOR_PASSWORD}</span> <span class="string">${HARBOR_URL}</span></span><br><span class="line"></span><br><span class="line"><span class="attr">build_image:</span></span><br><span class="line"> <span class="string"><<:</span> <span class="meta">*docker_login</span></span><br><span class="line"> <span class="attr">stage:</span> <span class="string">build</span></span><br><span class="line"> <span class="attr">script:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">docker</span> <span class="string">build</span> <span class="string">-t</span> <span class="string">${HARBOR_IMAGE}:${CI_COMMIT_SHA}</span> <span class="string">.</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">docker</span> <span class="string">push</span> <span class="string">${HARBOR_IMAGE}:${CI_COMMIT_SHA}</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">|</span></span><br><span class="line"><span class="string"> if [[ "$CI_COMMIT_BRANCH" == "main" ]]; then</span></span><br><span class="line"><span class="string"> docker tag ${HARBOR_IMAGE}:${CI_COMMIT_SHA} ${HARBOR_IMAGE}:latest</span></span><br><span class="line"><span class="string"> docker push ${HARBOR_IMAGE}:latest</span></span><br><span class="line"><span class="string"> fi</span></span><br></pre></td></tr></table></figure><h2 id="项目协作与问题管理"><a href="#项目协作与问题管理" class="headerlink" title="项目协作与问题管理"></a>项目协作与问题管理</h2><h3 id="Issue管理"><a href="#Issue管理" class="headerlink" title="Issue管理"></a>Issue管理</h3><ol><li>Issue类型模板配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># .gitlab/issue_templates/feature.yml</span></span><br><span class="line"><span class="attr">name:</span> <span class="string">功能需求</span></span><br><span class="line"><span class="attr">description:</span> <span class="string">提交新功能需求</span></span><br><span class="line"><span class="attr">title:</span> <span class="string">"[Feature] "</span></span><br><span class="line"><span class="attr">labels:</span> [<span class="string">"feature"</span>, <span class="string">"待评估"</span>]</span><br><span class="line"><span class="attr">assignees:</span> [<span class="string">"product-owner"</span>]</span><br><span class="line"></span><br><span class="line"><span class="attr">body:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">type:</span> <span class="string">markdown</span></span><br><span class="line"> <span class="attr">attributes:</span></span><br><span class="line"> <span class="attr">value:</span> <span class="string">"## 功能需求描述模板"</span></span><br><span class="line"> </span><br><span class="line"> <span class="bullet">-</span> <span class="attr">type:</span> <span class="string">input</span></span><br><span class="line"> <span class="attr">id:</span> <span class="string">business-value</span></span><br><span class="line"> <span class="attr">attributes:</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">业务价值</span></span><br><span class="line"> <span class="attr">description:</span> <span class="string">此功能可以解决什么问题</span></span><br><span class="line"> <span class="attr">validations:</span></span><br><span class="line"> <span class="attr">required:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">type:</span> <span class="string">textarea</span></span><br><span class="line"> <span class="attr">id:</span> <span class="string">detailed-description</span></span><br><span class="line"> <span class="attr">attributes:</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">详细说明</span></span><br><span class="line"> <span class="attr">description:</span> <span class="string">功能的具体要求</span></span><br><span class="line"> <span class="attr">value:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> 1. 功能点1</span></span><br><span class="line"><span class="string"> 2. 功能点2</span></span><br><span class="line"><span class="string"></span> <span class="attr">validations:</span></span><br><span class="line"> <span class="attr">required:</span> <span class="literal">true</span></span><br><span class="line"></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">type:</span> <span class="string">dropdown</span></span><br><span class="line"> <span class="attr">id:</span> <span class="string">priority</span></span><br><span class="line"> <span class="attr">attributes:</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">优先级</span></span><br><span class="line"> <span class="attr">options:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">P0-紧急</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">P1-高</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">P2-中</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">P3-低</span></span><br></pre></td></tr></table></figure><ol start="2"><li>工作流配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># .gitlab/workflow.yml</span></span><br><span class="line"><span class="attr">workflow:</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">if:</span> <span class="string">$CI_MERGE_REQUEST_ID</span></span><br><span class="line"> <span class="attr">when:</span> <span class="string">never</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">if:</span> <span class="string">$CI_COMMIT_TAG</span></span><br><span class="line"> <span class="attr">when:</span> <span class="string">never</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">when:</span> <span class="string">always</span></span><br><span class="line"></span><br><span class="line"><span class="attr">stages:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">triage</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">review</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">implementation</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">verification</span></span><br><span class="line"></span><br><span class="line"><span class="attr">triage:</span></span><br><span class="line"> <span class="attr">rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">if:</span> <span class="string">$CI_PIPELINE_SOURCE</span> <span class="string">==</span> <span class="string">"merge_request_event"</span></span><br><span class="line"> <span class="attr">when:</span> <span class="string">never</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">if:</span> <span class="string">$CI_COMMIT_BRANCH</span> <span class="string">==</span> <span class="string">$CI_DEFAULT_BRANCH</span></span><br><span class="line"> <span class="attr">when:</span> <span class="string">never</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">when:</span> <span class="string">always</span></span><br></pre></td></tr></table></figure><h3 id="项目看板"><a href="#项目看板" class="headerlink" title="项目看板"></a>项目看板</h3><ol><li>敏捷开发看板配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">board:</span></span><br><span class="line"> <span class="attr">name:</span> <span class="string">"Sprint Board"</span></span><br><span class="line"> <span class="attr">lists:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"待处理"</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">"backlog"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"开发中"</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">"in-progress"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"待审核"</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">"review"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"测试中"</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">"testing"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"已完成"</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">"done"</span></span><br><span class="line"></span><br><span class="line"><span class="attr">automation:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">trigger:</span> <span class="string">"issue.labeled"</span></span><br><span class="line"> <span class="attr">label:</span> <span class="string">"in-progress"</span></span><br><span class="line"> <span class="attr">action:</span> <span class="string">"move_to_list"</span></span><br><span class="line"> <span class="attr">target_list:</span> <span class="string">"开发中"</span></span><br><span class="line"> <span class="attr">assign_to:</span> <span class="string">"@creator"</span></span><br></pre></td></tr></table></figure><h3 id="时间管理"><a href="#时间管理" class="headerlink" title="时间管理"></a>时间管理</h3><ol><li>工时跟踪配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">time_tracking:</span></span><br><span class="line"> <span class="attr">default_estimate:</span> <span class="string">"4h"</span></span><br><span class="line"> <span class="attr">increment_minutes:</span> <span class="number">15</span></span><br><span class="line"> <span class="attr">time_format:</span> <span class="string">"absolute"</span></span><br><span class="line"> <span class="attr">report_frequency:</span> <span class="string">"weekly"</span></span><br></pre></td></tr></table></figure><ol start="2"><li>Sprint配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">sprint:</span></span><br><span class="line"> <span class="attr">duration:</span> <span class="string">2weeks</span></span><br><span class="line"> <span class="attr">start_day:</span> <span class="string">monday</span></span><br><span class="line"> <span class="attr">planning_template:</span> <span class="string">|</span></span><br><span class="line"><span class="string"> ## Sprint 计划会议</span></span><br><span class="line"><span class="string"> 1. 回顾上个Sprint</span></span><br><span class="line"><span class="string"> 2. 确定本次Sprint目标</span></span><br><span class="line"><span class="string"> 3. 评估任务工时</span></span><br><span class="line"><span class="string"> 4. 分配任务责任人</span></span><br></pre></td></tr></table></figure><h3 id="团队协作"><a href="#团队协作" class="headerlink" title="团队协作"></a>团队协作</h3><ol><li>Code Review规则:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">review_rules:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">"代码审查"</span></span><br><span class="line"> <span class="attr">conditions:</span></span><br><span class="line"> <span class="attr">min_approvals:</span> <span class="number">2</span></span><br><span class="line"> <span class="attr">required_reviewers:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">tech-lead</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">senior-developer</span></span><br><span class="line"> <span class="attr">block_on:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">failing_tests</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">merge_conflicts</span></span><br><span class="line"> <span class="attr">actions:</span></span><br><span class="line"> <span class="attr">auto_merge:</span> <span class="literal">false</span></span><br><span class="line"> <span class="attr">notify_channel:</span> <span class="string">"#code-review"</span></span><br></pre></td></tr></table></figure><ol start="2"><li>团队报告模板:</li></ol><figure class="highlight markdown"><table><tr><td class="code"><pre><span class="line"><span class="section">## 每日站会报告</span></span><br><span class="line"></span><br><span class="line"><span class="section">### 昨日完成</span></span><br><span class="line"><span class="bullet">-</span> [ ] 任务1 (2h/预估3h)</span><br><span class="line"><span class="bullet">-</span> [ ] 任务2 (4h/预估4h)</span><br><span class="line"></span><br><span class="line"><span class="section">### 今日计划</span></span><br><span class="line"><span class="bullet">1.</span> 功能开发</span><br><span class="line"><span class="bullet"> -</span> [ ] 任务A (预估4h)</span><br><span class="line"><span class="bullet"> -</span> [ ] 任务B (预估2h)</span><br><span class="line"><span class="bullet">2.</span> 问题修复</span><br><span class="line"><span class="bullet"> -</span> [ ] Bug#123 (预估1h)</span><br><span class="line"></span><br><span class="line"><span class="section">### 遇到的问题</span></span><br><span class="line"><span class="bullet">1.</span> 问题描述</span><br><span class="line"><span class="bullet">2.</span> 解决方案</span><br><span class="line"></span><br><span class="line"><span class="section">### 需要协助</span></span><br><span class="line"><span class="bullet">-</span> [ ] 需求澄清</span><br><span class="line"><span class="bullet">-</span> [ ] 技术支持</span><br></pre></td></tr></table></figure><h3 id="度量与报告"><a href="#度量与报告" class="headerlink" title="度量与报告"></a>度量与报告</h3><ol><li>项目度量配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">metrics:</span></span><br><span class="line"> <span class="attr">cycle_time:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">alert_threshold:</span> <span class="string">"48h"</span></span><br><span class="line"> </span><br><span class="line"> <span class="attr">code_quality:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">minimum_coverage:</span> <span class="number">80</span><span class="string">%</span></span><br><span class="line"> </span><br><span class="line"> <span class="attr">team_velocity:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">sprint_length:</span> <span class="string">2weeks</span></span><br><span class="line"> </span><br><span class="line"> <span class="attr">burndown:</span></span><br><span class="line"> <span class="attr">enabled:</span> <span class="literal">true</span></span><br><span class="line"> <span class="attr">chart_type:</span> <span class="string">"story_points"</span></span><br></pre></td></tr></table></figure><ol start="2"><li>自动化报告:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">reports:</span></span><br><span class="line"> <span class="attr">schedule:</span> <span class="string">"0 9 * * MON"</span></span><br><span class="line"> <span class="attr">recipients:</span> </span><br><span class="line"> <span class="bullet">-</span> <span class="string">project-manager</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">team-lead</span></span><br><span class="line"> <span class="attr">format:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">pdf</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">html</span></span><br><span class="line"> <span class="attr">content:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">sprint_progress</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">issue_statistics</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">merge_request_metrics</span></span><br></pre></td></tr></table></figure><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>GitLab-CE是一个功能强大的代码托管和CI/CD平台,通过合理配置和优化,可以为团队提供高效稳定的开发环境。本文档涵盖了从基础部署到高级特性的完整配置指南,建议根据实际需求选择性地启用功能,并持续关注系统的性能和安全性。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;本篇文章详细介绍了GitLab-CE的部署与使用教程,包括基础部署配置、系统配置、CI&#x2F;CD配置、项目管理、运维管理、高可用配置、Jenkins集成、容器镜像仓库集成以及项目协作与问题管理等核心内容。文档提供了大量实用的配置示例和最佳实践建议,适合DevOps工程师和开发团队参考,帮助搭建和优化GitLab平台,提升团队开发效率。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Gitlab" scheme="https://freemankevin.uk/tags/Gitlab/"/>
</entry>
<entry>
<title>Jenkins 部署与使用教程</title>
<link href="https://freemankevin.uk/2025/01/13/jenkins/"/>
<id>https://freemankevin.uk/2025/01/13/jenkins/</id>
<published>2025-01-13T08:05:25.000Z</published>
<updated>2025-01-13T08:07:44.657Z</updated>
<content type="html"><![CDATA[<p> 本篇文章详细介绍了Jenkins的部署与使用教程,涵盖了从基础部署配置、系统核心配置、流水线配置到高级特性配置的完整指南。文章分为六大部分,包括基础部署、系统配置、流水线配置、高级特性、运维管理和最佳实践,并提供了大量实用的代码示例和配置说明。无论是Jenkins新手还是有经验的DevOps工程师,都能从本文中找到有价值的内容,帮助更好地使用Jenkins进行持续集成和持续部署。</p><span id="more"></span><h2 id="基础部署配置"><a href="#基础部署配置" class="headerlink" title="基础部署配置"></a>基础部署配置</h2><h3 id="前提条件"><a href="#前提条件" class="headerlink" title="前提条件"></a>前提条件</h3><ol><li>Docker 已安装</li><li>Docker Compose 已安装</li><li>最小系统配置要求:<ul><li>CPU: 2核心</li><li>内存: 4GB</li><li>磁盘: 50GB</li></ul></li></ol><h3 id="版本选择"><a href="#版本选择" class="headerlink" title="版本选择"></a>版本选择</h3><p>建议选择 LTS 版本,并且使用与 Jenkins 兼容的 JDK 版本。</p><p>例如,可以选择使用 Docker 镜像 <code>jenkins/jenkins:2.452.2-lts-jdk17</code>,该镜像基于 Java 17,确保了良好的性能和最新的安全特性。</p><h3 id="Docker-Compose-部署"><a href="#Docker-Compose-部署" class="headerlink" title="Docker Compose 部署"></a>Docker Compose 部署</h3><p><strong>创建配置文件</strong></p><ol><li>创建 <code>docker-compose.yml</code> 文件:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">jenkins:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">jenkins/jenkins:2.452.2-lts-jdk17</span> </span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">jenkins</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="attr">JAVA_OPTS:</span> <span class="string">"-Djenkins.install.runSetupWizard=false -Dhudson.PluginManager.noPluginExtensions=true"</span></span><br><span class="line"> <span class="attr">TZ:</span> <span class="string">"Asia/Shanghai"</span></span><br><span class="line"> <span class="attr">ports:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"8080:8080"</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">"50000:50000"</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/etc/localtime:/etc/localtime:ro</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/jenkins:/var/jenkins_home</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">always</span></span><br><span class="line"> <span class="attr">healthcheck:</span></span><br><span class="line"> <span class="attr">test:</span> [<span class="string">"CMD"</span>, <span class="string">"curl"</span>, <span class="string">"-f"</span>, <span class="string">"http://localhost:8080/login"</span>]</span><br><span class="line"> <span class="attr">interval:</span> <span class="string">30s</span></span><br><span class="line"> <span class="attr">timeout:</span> <span class="string">10s</span></span><br><span class="line"> <span class="attr">retries:</span> <span class="number">3</span></span><br><span class="line"> <span class="attr">start_period:</span> <span class="string">40s</span></span><br></pre></td></tr></table></figure><p><strong>启动服务</strong></p><ol><li>创建数据目录并设置权限:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">mkdir</span> -p /data/jenkins</span><br><span class="line"><span class="built_in">chown</span> 1000:1000 /data/jenkins</span><br></pre></td></tr></table></figure><ol start="2"><li>启动服务:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker compose up -d</span><br></pre></td></tr></table></figure><ol start="3"><li>检查服务状态:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">docker compose ps</span><br><span class="line">docker compose logs -f</span><br></pre></td></tr></table></figure><h3 id="初始化配置"><a href="#初始化配置" class="headerlink" title="初始化配置"></a>初始化配置</h3><p><strong>系统登录</strong></p><ol><li>访问 Jenkins 网址: <code>http://<your-server-ip>:8080</code></li><li>获取初始密码:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">cat</span> /data/jenkins/secrets/initialAdminPassword</span><br></pre></td></tr></table></figure><p><strong>基础设置</strong></p><ol><li>选择自定义安装插件</li><li>创建管理员账号(建议使用: admin/<a href="mailto:Admin@123.com">Admin@123.com</a>)</li><li>配置访问地址(保持默认)</li></ol><h3 id="插件管理"><a href="#插件管理" class="headerlink" title="插件管理"></a>插件管理</h3><p><strong>核心插件安装</strong></p><p>建议安装以下基础插件:</p><ol><li><strong>Pipeline</strong>: 流水线核心插件</li><li><strong>GitLab</strong>: GitLab 集成插件</li><li><strong>Publish Over SSH</strong>: SSH 发布插件</li><li><strong>File Parameter</strong>: 文件参数插件</li><li><strong>Role-Based Strategy</strong>: 权限管理插件</li><li><strong>Docker Pipeline</strong>: Docker 集成插件</li><li><strong>Blue Ocean</strong>: 现代化界面插件</li><li><strong>Kubernetes</strong>: K8s集成插件</li></ol><p><strong>插件安装方式</strong></p><ol><li>在线安装:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Plugins > Available plugins</span><br></pre></td></tr></table></figure><ol start="2"><li>离线安装:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 下载插件(.hpi文件)到 /data/jenkins/plugins/</span></span><br><span class="line"><span class="built_in">chown</span> 1000:1000 /data/jenkins/plugins/*.hpi</span><br><span class="line"><span class="comment"># 重启Jenkins</span></span><br><span class="line">docker compose restart jenkins</span><br></pre></td></tr></table></figure><p><strong>插件更新策略</strong></p><ol><li>定期检查更新</li><li>优先更新安全相关插件</li><li>重要插件版本变更需要测试</li><li>建议配置插件更新源:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Manage Plugins > Advanced > Update Site</span><br><span class="line">https://mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json</span><br></pre></td></tr></table></figure><h2 id="系统核心配置"><a href="#系统核心配置" class="headerlink" title="系统核心配置"></a>系统核心配置</h2><h3 id="系统基础设置"><a href="#系统基础设置" class="headerlink" title="系统基础设置"></a>系统基础设置</h3><p><strong>全局工具配置</strong></p><ol><li>JDK配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Global Tool Configuration > JDK</span><br><span class="line">- Name: JDK17</span><br><span class="line">- JAVA_HOME: /opt/java/openjdk</span><br></pre></td></tr></table></figure><ol start="2"><li>Maven配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Global Tool Configuration > Maven</span><br><span class="line">- Name: Maven3</span><br><span class="line">- Install automatically: 选中</span><br><span class="line">- Version: 3.8.4</span><br></pre></td></tr></table></figure><ol start="3"><li>Git配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Global Tool Configuration > Git</span><br><span class="line">- Name: Default</span><br><span class="line">- Path to Git executable: git</span><br></pre></td></tr></table></figure><p><strong>系统配置</strong></p><ol><li>执行器数量设置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > System Configuration > Configure System</span><br><span class="line">Number of executors: 根据服务器CPU核心数设置(建议: CPU核心数 - 1)</span><br></pre></td></tr></table></figure><ol start="2"><li>构建任务配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 默认构建保留策略: 保留最近10次</span><br><span class="line">- 工作空间清理策略: 每次构建后清理</span><br></pre></td></tr></table></figure><h3 id="安全配置"><a href="#安全配置" class="headerlink" title="安全配置"></a>安全配置</h3><p><strong>认证配置</strong></p><ol><li>基于数据库认证:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Security > Configure Global Security</span><br><span class="line">Security Realm: Jenkins' own user database</span><br></pre></td></tr></table></figure><ol start="2"><li>LDAP认证配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Security Realm: LDAP</span><br><span class="line">- Server: ldap://ldap.example.com:389</span><br><span class="line">- Root DN: dc=example,dc=com</span><br><span class="line">- User search base: ou=users</span><br><span class="line">- Group search base: ou=groups</span><br></pre></td></tr></table></figure><p><strong>授权配置</strong></p><ol><li>基于角色的权限控制:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Authorization: Role-Based Strategy</span><br></pre></td></tr></table></figure><ol start="2"><li>角色定义:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line"><span class="comment">// 全局角色</span></span><br><span class="line">globalRoles.create(<span class="string">'admin'</span>, [</span><br><span class="line"> <span class="string">'Overall/Administer'</span>,</span><br><span class="line"> <span class="string">'Overall/Read'</span>,</span><br><span class="line"> <span class="string">'Job/Create'</span>,</span><br><span class="line"> <span class="string">'Job/Delete'</span>,</span><br><span class="line"> <span class="string">'Job/Configure'</span></span><br><span class="line">])</span><br><span class="line"></span><br><span class="line"><span class="comment">// 项目角色</span></span><br><span class="line">projectRoles.create(<span class="string">'developer'</span>, <span class="string">'project-.*'</span>, [</span><br><span class="line"> <span class="string">'Job/Build'</span>,</span><br><span class="line"> <span class="string">'Job/Read'</span>,</span><br><span class="line"> <span class="string">'Job/Workspace'</span></span><br><span class="line">])</span><br><span class="line"></span><br><span class="line"><span class="comment">// 只读角色</span></span><br><span class="line">globalRoles.create(<span class="string">'viewer'</span>, [</span><br><span class="line"> <span class="string">'Overall/Read'</span>,</span><br><span class="line"> <span class="string">'Job/Read'</span></span><br><span class="line">])</span><br></pre></td></tr></table></figure><h3 id="节点管理"><a href="#节点管理" class="headerlink" title="节点管理"></a>节点管理</h3><p><strong>主节点配置</strong></p><ol><li>资源限制:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > System Configuration > Configure System</span><br><span class="line">- 工作目录: /var/jenkins_home/workspace</span><br><span class="line">- 构建历史: 保留30天</span><br></pre></td></tr></table></figure><ol start="2"><li>标签配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Labels: master-node</span><br><span class="line">Usage: 尽可能使用</span><br></pre></td></tr></table></figure><p><strong>从节点配置</strong></p><ol><li>添加节点:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Nodes > New Node</span><br><span class="line">- Node name: slave-01</span><br><span class="line">- Type: Permanent Agent</span><br></pre></td></tr></table></figure><ol start="2"><li>节点配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">Remote root directory:</span> <span class="string">/data/jenkins/agent</span></span><br><span class="line"><span class="attr">Labels:</span> <span class="string">slave-node</span> <span class="string">docker</span> <span class="string">kubernetes</span></span><br><span class="line"><span class="attr">Launch method:</span> <span class="string">Launch</span> <span class="string">agent</span> <span class="string">via</span> <span class="string">SSH</span></span><br><span class="line"><span class="attr">Host:</span> <span class="string">slave-node-ip</span></span><br><span class="line"><span class="attr">Credentials:</span> <span class="string">SSH</span> <span class="string">Username</span> <span class="string">with</span> <span class="string">private</span> <span class="string">key</span></span><br></pre></td></tr></table></figure><ol start="3"><li>Docker Agent配置:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="attr">version:</span> <span class="string">'3.8'</span></span><br><span class="line"><span class="attr">services:</span></span><br><span class="line"> <span class="attr">jenkins-agent:</span></span><br><span class="line"> <span class="attr">image:</span> <span class="string">jenkins/inbound-agent:latest-jdk17</span></span><br><span class="line"> <span class="attr">container_name:</span> <span class="string">jenkins-agent</span></span><br><span class="line"> <span class="attr">environment:</span></span><br><span class="line"> <span class="attr">JENKINS_URL:</span> <span class="string">"http://jenkins-master:8080"</span></span><br><span class="line"> <span class="attr">JENKINS_SECRET:</span> <span class="string">"${AGENT_SECRET}"</span></span><br><span class="line"> <span class="attr">JENKINS_AGENT_NAME:</span> <span class="string">"docker-agent"</span></span><br><span class="line"> <span class="attr">volumes:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/var/run/docker.sock:/var/run/docker.sock</span></span><br><span class="line"> <span class="bullet">-</span> <span class="string">/data/jenkins-agent:/home/jenkins/agent</span></span><br><span class="line"> <span class="attr">restart:</span> <span class="string">unless-stopped</span></span><br></pre></td></tr></table></figure><h3 id="凭证管理"><a href="#凭证管理" class="headerlink" title="凭证管理"></a>凭证管理</h3><p><strong>凭证类型</strong></p><ol><li>用户名密码:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Kind: Username with password</span><br><span class="line">Scope: Global</span><br><span class="line">ID: gitlab-auth</span><br><span class="line">Description: GitLab访问凭证</span><br></pre></td></tr></table></figure><ol start="2"><li>SSH密钥:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Kind: SSH Username with private key</span><br><span class="line">Scope: Global</span><br><span class="line">ID: ssh-deploy-key</span><br><span class="line">Description: 部署服务器SSH密钥</span><br></pre></td></tr></table></figure><ol start="3"><li>Secret文本:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Kind: Secret text</span><br><span class="line">Scope: Global</span><br><span class="line">ID: api-token</span><br><span class="line">Description: API访问令牌</span><br></pre></td></tr></table></figure><p><strong>凭证使用</strong></p><ol><li>在Pipeline中使用:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">withCredentials([</span><br><span class="line"> usernamePassword(</span><br><span class="line"> <span class="symbol">credentialsId:</span> <span class="string">'gitlab-auth'</span>,</span><br><span class="line"> <span class="symbol">usernameVariable:</span> <span class="string">'GITLAB_USER'</span>,</span><br><span class="line"> <span class="symbol">passwordVariable:</span> <span class="string">'GITLAB_PASS'</span></span><br><span class="line"> )</span><br><span class="line">]) {</span><br><span class="line"> sh <span class="string">"""</span></span><br><span class="line"><span class="string"> git clone https://${GITLAB_USER}:${GITLAB_PASS}@gitlab.example.com/project.git</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="视图管理"><a href="#视图管理" class="headerlink" title="视图管理"></a>视图管理</h3><p><strong>视图类型</strong></p><ol><li>列表视图:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">New View > List View</span><br><span class="line">- Name: Backend Projects</span><br><span class="line">- Job Filters: </span><br><span class="line"> - Job name pattern: backend-.*</span><br></pre></td></tr></table></figure><ol start="2"><li>我的视图:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">New View > My View</span><br><span class="line">- Name: My Tasks</span><br></pre></td></tr></table></figure><ol start="3"><li>仪表板视图:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">New View > Dashboard View</span><br><span class="line">- Name: Project Status</span><br><span class="line">- 显示内容:</span><br><span class="line"> - Build History</span><br><span class="line"> - Build Statistics</span><br><span class="line"> - Jenkins Jobs Statistics</span><br></pre></td></tr></table></figure><h2 id="流水线配置"><a href="#流水线配置" class="headerlink" title="流水线配置"></a>流水线配置</h2><h3 id="基础流水线"><a href="#基础流水线" class="headerlink" title="基础流水线"></a>基础流水线</h3><p><strong>Pipeline语法</strong></p><ol><li>声明式Pipeline基本结构:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">pipeline {</span><br><span class="line"> agent any</span><br><span class="line"> </span><br><span class="line"> environment {</span><br><span class="line"> JAVA_HOME = <span class="string">'/usr/local/jdk17'</span></span><br><span class="line"> MAVEN_HOME = <span class="string">'/usr/local/maven'</span></span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stages {</span><br><span class="line"> stage(<span class="string">'检出代码'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> git <span class="attr">branch:</span> <span class="string">'main'</span>, </span><br><span class="line"> <span class="symbol">url:</span> <span class="string">'https://gitlab.example.com/project.git'</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stage(<span class="string">'编译构建'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> sh <span class="string">'mvn clean package -DskipTests'</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stage(<span class="string">'单元测试'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> sh <span class="string">'mvn test'</span></span><br><span class="line"> }</span><br><span class="line"> post {</span><br><span class="line"> always {</span><br><span class="line"> junit <span class="string">'**/target/surefire-reports/*.xml'</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> post {</span><br><span class="line"> success {</span><br><span class="line"> echo <span class="string">'构建成功'</span></span><br><span class="line"> }</span><br><span class="line"> failure {</span><br><span class="line"> echo <span class="string">'构建失败'</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><ol start="2"><li>脚本式Pipeline示例:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">node {</span><br><span class="line"> <span class="keyword">def</span> mvnHome = tool <span class="string">'Maven3'</span></span><br><span class="line"> </span><br><span class="line"> stage(<span class="string">'检出代码'</span>) {</span><br><span class="line"> git <span class="string">'https://gitlab.example.com/project.git'</span></span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stage(<span class="string">'编译构建'</span>) {</span><br><span class="line"> sh <span class="string">"${mvnHome}/bin/mvn clean package"</span></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="Pipeline共享库"><a href="#Pipeline共享库" class="headerlink" title="Pipeline共享库"></a>Pipeline共享库</h3><p><strong>共享库配置</strong></p><ol><li>创建共享库仓库结构:</li></ol><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">├── src # Java源码目录</span><br><span class="line">│ └── org/devops/utils</span><br><span class="line">│ ├── Builder.groovy</span><br><span class="line">│ └── Deploy.groovy</span><br><span class="line">├── vars # Pipeline脚本目录</span><br><span class="line">│ ├── buildJava.groovy</span><br><span class="line">│ ├── buildNode.groovy</span><br><span class="line">│ └── k8sDeploy.groovy</span><br><span class="line">└── resources # 资源文件目录</span><br><span class="line"> └── templates</span><br><span class="line"> ├── deployment.yaml</span><br><span class="line"> └── service.yaml</span><br></pre></td></tr></table></figure><ol start="2"><li>配置共享库:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line"><span class="comment">// 在Jenkins系统配置中添加</span></span><br><span class="line">library <span class="attr">identifier:</span> <span class="string">'jenkins-shared-lib@master'</span>,</span><br><span class="line"> <span class="symbol">retriever:</span> modernSCM([</span><br><span class="line"> <span class="symbol">$class:</span> <span class="string">'GitSCMSource'</span>,</span><br><span class="line"> <span class="symbol">remote:</span> <span class="string">'https://gitlab.example.com/devops/jenkins-shared-lib.git'</span>,</span><br><span class="line"> <span class="symbol">credentialsId:</span> <span class="string">'gitlab-credentials'</span></span><br><span class="line"> ])</span><br></pre></td></tr></table></figure><ol start="3"><li>共享库使用示例:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line"><span class="meta">@Library</span>(<span class="string">'jenkins-shared-lib'</span>) _</span><br><span class="line"></span><br><span class="line">pipeline {</span><br><span class="line"> agent any</span><br><span class="line"> stages {</span><br><span class="line"> stage(<span class="string">'构建'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> buildJava(</span><br><span class="line"> <span class="symbol">jdkVersion:</span> <span class="string">'17'</span>,</span><br><span class="line"> <span class="symbol">mvnGoals:</span> <span class="string">'clean package'</span></span><br><span class="line"> )</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> stage(<span class="string">'部署'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> k8sDeploy(</span><br><span class="line"> <span class="symbol">namespace:</span> <span class="string">'production'</span>,</span><br><span class="line"> <span class="symbol">appName:</span> <span class="string">'demo-app'</span></span><br><span class="line"> )</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="多分支流水线"><a href="#多分支流水线" class="headerlink" title="多分支流水线"></a>多分支流水线</h3><p><strong>配置示例</strong></p><ol><li>分支发现配置:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">properties([</span><br><span class="line"> pipelineTriggers([</span><br><span class="line"> [<span class="attr">$class:</span> <span class="string">'GitLabPushTrigger'</span>,</span><br><span class="line"> <span class="symbol">branchFilterType:</span> <span class="string">'All'</span>,</span><br><span class="line"> <span class="symbol">triggerOnPush:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">triggerOnMergeRequest:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">triggerOpenMergeRequestOnPush:</span> <span class="string">"never"</span>,</span><br><span class="line"> <span class="symbol">triggerOnNoteRequest:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">noteRegex:</span> <span class="string">"Jenkins please retry"</span>,</span><br><span class="line"> <span class="symbol">skipWorkInProgressMergeRequest:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">secretToken:</span> <span class="string">"YOUR-TOKEN-HERE"</span>,</span><br><span class="line"> <span class="symbol">ciSkip:</span> <span class="literal">false</span>,</span><br><span class="line"> <span class="symbol">setBuildDescription:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">addNoteOnMergeRequest:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">addCiMessage:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">addVoteOnMergeRequest:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">acceptMergeRequestOnSuccess:</span> <span class="literal">false</span>,</span><br><span class="line"> <span class="symbol">branchFilterType:</span> <span class="string">"NameBasedFilter"</span>,</span><br><span class="line"> <span class="symbol">includeBranchesSpec:</span> <span class="string">"main develop feature/* release/*"</span>,</span><br><span class="line"> <span class="symbol">excludeBranchesSpec:</span> <span class="string">""</span>]</span><br><span class="line"> ])</span><br><span class="line">])</span><br></pre></td></tr></table></figure><ol start="2"><li>环境配置:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">pipeline {</span><br><span class="line"> agent any</span><br><span class="line"> </span><br><span class="line"> environment {</span><br><span class="line"> <span class="comment">// 根据分支动态设置环境变量</span></span><br><span class="line"> DEPLOY_ENV = <span class="string">"${BRANCH_NAME == 'main' ? 'prod' : </span></span><br><span class="line"><span class="string"> BRANCH_NAME == 'develop' ? 'test' : 'dev'}"</span></span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> stages {</span><br><span class="line"> stage(<span class="string">'部署'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> script {</span><br><span class="line"> <span class="comment">// 根据环境选择不同的部署策略</span></span><br><span class="line"> <span class="keyword">switch</span>(env.DEPLOY_ENV) {</span><br><span class="line"> <span class="keyword">case</span> <span class="string">'prod'</span>:</span><br><span class="line"> deployToProd()</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="keyword">case</span> <span class="string">'test'</span>:</span><br><span class="line"> deployToTest()</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="symbol">default:</span></span><br><span class="line"> deployToDev()</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="高级特性配置"><a href="#高级特性配置" class="headerlink" title="高级特性配置"></a>高级特性配置</h2><h3 id="GitLab集成"><a href="#GitLab集成" class="headerlink" title="GitLab集成"></a>GitLab集成</h3><p><strong>Webhook配置</strong></p><ol><li>GitLab系统配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Admin Area > Settings > Network > Outbound requests</span><br><span class="line">Allow requests to the local network from web hooks and services: 启用</span><br></pre></td></tr></table></figure><ol start="2"><li>项目Webhook配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Project > Settings > Webhooks</span><br><span class="line">URL: http://jenkins-url/project/your-project</span><br><span class="line">Secret Token: your-secret-token</span><br><span class="line">Trigger:</span><br><span class="line">- Push events</span><br><span class="line">- Merge request events</span><br><span class="line">- Tag push events</span><br></pre></td></tr></table></figure><ol start="3"><li>Jenkins触发器配置:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">triggers {</span><br><span class="line"> gitlab(</span><br><span class="line"> <span class="symbol">triggerOnPush:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">triggerOnMergeRequest:</span> <span class="literal">true</span>,</span><br><span class="line"> <span class="symbol">branchFilterType:</span> <span class="string">'All'</span>,</span><br><span class="line"> <span class="symbol">secretToken:</span> env.GITLAB_WEBHOOK_TOKEN</span><br><span class="line"> )</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="Docker集成"><a href="#Docker集成" class="headerlink" title="Docker集成"></a>Docker集成</h3><p><strong>Docker构建配置</strong></p><ol><li>Dockerfile示例:</li></ol><figure class="highlight dockerfile"><table><tr><td class="code"><pre><span class="line"><span class="keyword">FROM</span> openjdk:<span class="number">17</span>-jdk-slim</span><br><span class="line"><span class="keyword">WORKDIR</span><span class="language-bash"> /app</span></span><br><span class="line"><span class="keyword">COPY</span><span class="language-bash"> target/*.jar app.jar</span></span><br><span class="line"><span class="keyword">ENTRYPOINT</span><span class="language-bash"> [<span class="string">"java"</span>, <span class="string">"-jar"</span>, <span class="string">"app.jar"</span>]</span></span><br></pre></td></tr></table></figure><ol start="2"><li>Pipeline中的Docker构建:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line">pipeline {</span><br><span class="line"> agent any</span><br><span class="line"> environment {</span><br><span class="line"> DOCKER_REGISTRY = <span class="string">'registry.example.com'</span></span><br><span class="line"> IMAGE_NAME = <span class="string">'demo-app'</span></span><br><span class="line"> IMAGE_TAG = <span class="string">"${BUILD_NUMBER}"</span></span><br><span class="line"> }</span><br><span class="line"> stages {</span><br><span class="line"> stage(<span class="string">'构建镜像'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> script {</span><br><span class="line"> docker.build(<span class="string">"${DOCKER_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"</span>)</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> stage(<span class="string">'推送镜像'</span>) {</span><br><span class="line"> steps {</span><br><span class="line"> script {</span><br><span class="line"> docker.withRegistry(<span class="string">"https://${DOCKER_REGISTRY}"</span>, <span class="string">'docker-registry-credentials'</span>) {</span><br><span class="line"> docker.image(<span class="string">"${DOCKER_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"</span>).push()</span><br><span class="line"> docker.image(<span class="string">"${DOCKER_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"</span>).push(<span class="string">'latest'</span>)</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="Kubernetes集成"><a href="#Kubernetes集成" class="headerlink" title="Kubernetes集成"></a>Kubernetes集成</h3><p><strong>K8s部署配置</strong></p><ol><li>凭证配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Kind: Secret file</span><br><span class="line">Scope: Global</span><br><span class="line">ID: k8s-config</span><br><span class="line">File: ~/.kube/config</span><br></pre></td></tr></table></figure><ol start="2"><li>部署脚本:</li></ol><figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> deployToK8s(String namespace, String deployment, String container, String image) {</span><br><span class="line"> withKubeConfig([<span class="attr">credentialsId:</span> <span class="string">'k8s-config'</span>]) {</span><br><span class="line"> sh <span class="string">"""</span></span><br><span class="line"><span class="string"> kubectl -n ${namespace} set image deployment/${deployment} ${container}=${image}</span></span><br><span class="line"><span class="string"> kubectl -n ${namespace} rollout status deployment/${deployment}</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h2 id="运维管理"><a href="#运维管理" class="headerlink" title="运维管理"></a>运维管理</h2><h3 id="备份策略"><a href="#备份策略" class="headerlink" title="备份策略"></a>备份策略</h3><p><strong>配置备份</strong></p><ol><li>定时备份脚本:</li></ol><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/bin/bash</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份配置</span></span><br><span class="line">BACKUP_ROOT=<span class="string">"/backup/jenkins"</span></span><br><span class="line">JENKINS_HOME=<span class="string">"/data/jenkins"</span></span><br><span class="line">DATE=$(<span class="built_in">date</span> +%Y%m%d)</span><br><span class="line">BACKUP_DIR=<span class="string">"<span class="variable">${BACKUP_ROOT}</span>/<span class="variable">${DATE}</span>"</span></span><br><span class="line">RETAIN_DAYS=30</span><br><span class="line"></span><br><span class="line"><span class="comment"># 创建备份目录</span></span><br><span class="line"><span class="built_in">mkdir</span> -p <span class="variable">${BACKUP_DIR}</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 备份Jenkins配置</span></span><br><span class="line">tar -czf <span class="variable">${BACKUP_DIR}</span>/jenkins_home.tar.gz <span class="variable">${JENKINS_HOME}</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 清理旧备份</span></span><br><span class="line">find <span class="variable">${BACKUP_ROOT}</span> -<span class="built_in">type</span> d -mtime +<span class="variable">${RETAIN_DAYS}</span> -<span class="built_in">exec</span> <span class="built_in">rm</span> -rf {} \;</span><br></pre></td></tr></table></figure><ol start="2"><li>自动备份配置:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > Configure System > 定期备份</span><br><span class="line">Schedule: H 0 * * *</span><br></pre></td></tr></table></figure><h3 id="监控告警"><a href="#监控告警" class="headerlink" title="监控告警"></a>监控告警</h3><p><strong>监控指标</strong></p><ol><li>系统监控:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- CPU使用率</span><br><span class="line">- 内存使用率</span><br><span class="line">- 磁盘使用率</span><br><span class="line">- 构建队列长度</span><br></pre></td></tr></table></figure><ol start="2"><li>构建监控:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 构建成功率</span><br><span class="line">- 构建时长</span><br><span class="line">- 测试覆盖率</span><br><span class="line">- 代码质量指标</span><br></pre></td></tr></table></figure><ol start="3"><li>Prometheus集成:</li></ol><figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="bullet">-</span> <span class="attr">job_name:</span> <span class="string">'jenkins'</span></span><br><span class="line"> <span class="attr">metrics_path:</span> <span class="string">'/prometheus'</span></span><br><span class="line"> <span class="attr">static_configs:</span></span><br><span class="line"> <span class="bullet">-</span> <span class="attr">targets:</span> [<span class="string">'jenkins:8080'</span>]</span><br></pre></td></tr></table></figure><h3 id="日志管理"><a href="#日志管理" class="headerlink" title="日志管理"></a>日志管理</h3><p><strong>日志配置</strong></p><ol><li>系统日志:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">Manage Jenkins > System Log</span><br><span class="line">- Log Level: INFO</span><br><span class="line">- Log Rotation: 7天</span><br></pre></td></tr></table></figure><ol start="2"><li>构建日志:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 保留策略: 保留最近100次构建</span><br><span class="line">- 日志轮转: 超过50MB自动归档</span><br></pre></td></tr></table></figure><h2 id="最佳实践"><a href="#最佳实践" class="headerlink" title="最佳实践"></a>最佳实践</h2><h3 id="开发规范"><a href="#开发规范" class="headerlink" title="开发规范"></a>开发规范</h3><ol><li>代码规范:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 使用声明式Pipeline</span><br><span class="line">- 避免在Pipeline中硬编码配置</span><br><span class="line">- 合理使用共享库</span><br><span class="line">- 保持Pipeline简洁清晰</span><br></pre></td></tr></table></figure><ol start="2"><li>命名规范:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 任务命名: <项目>-<环境>-<功能></span><br><span class="line">- 标签命名: role-<功能></span><br><span class="line">- 参数命名: 使用大写字母</span><br></pre></td></tr></table></figure><h3 id="安全建议"><a href="#安全建议" class="headerlink" title="安全建议"></a>安全建议</h3><ol><li>系统安全:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 及时更新Jenkins版本</span><br><span class="line">- 定期更新插件</span><br><span class="line">- 使用HTTPS访问</span><br><span class="line">- 启用审计日志</span><br></pre></td></tr></table></figure><ol start="2"><li>权限控制:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 最小权限原则</span><br><span class="line">- 定期审查权限</span><br><span class="line">- 使用密钥凭证</span><br><span class="line">- 避免明文密码</span><br></pre></td></tr></table></figure><h3 id="性能优化"><a href="#性能优化" class="headerlink" title="性能优化"></a>性能优化</h3><ol><li>系统优化:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 合理设置执行器数量</span><br><span class="line">- 及时清理工作空间</span><br><span class="line">- 使用代理节点分担负载</span><br><span class="line">- 配置构建超时时间</span><br></pre></td></tr></table></figure><ol start="2"><li>Pipeline优化:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 并行执行无依赖步骤</span><br><span class="line">- 使用缓存加速构建</span><br><span class="line">- 避免不必要的构建</span><br><span class="line">- 合理使用触发器</span><br></pre></td></tr></table></figure><h3 id="常见问题"><a href="#常见问题" class="headerlink" title="常见问题"></a>常见问题</h3><ol><li>构建失败处理:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 检查代码变更</span><br><span class="line">- 查看构建日志</span><br><span class="line">- 验证环境配置</span><br><span class="line">- 检查资源使用</span><br></pre></td></tr></table></figure><ol start="2"><li>性能问题处理:</li></ol><figure class="highlight text"><table><tr><td class="code"><pre><span class="line">- 分析系统负载</span><br><span class="line">- 检查内存使用</span><br><span class="line">- 优化构建流程</span><br><span class="line">- 清理历史数据</span><br></pre></td></tr></table></figure><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Jenkins是一个强大的持续集成工具,通过合理配置和使用,可以显著提高开发团队的效率。本文档涵盖了从基础部署到高级特性的完整配置指南,希望能帮助您更好地使用Jenkins。</p><p>建议根据实际需求选择性地参考本文档中的配置,并结合团队实际情况进行调整和优化。同时,要注意持续关注Jenkins的版本更新和安全公告,确保系统的安全性和稳定性。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;本篇文章详细介绍了Jenkins的部署与使用教程,涵盖了从基础部署配置、系统核心配置、流水线配置到高级特性配置的完整指南。文章分为六大部分,包括基础部署、系统配置、流水线配置、高级特性、运维管理和最佳实践,并提供了大量实用的代码示例和配置说明。无论是Jenkins新手还是有经验的DevOps工程师,都能从本文中找到有价值的内容,帮助更好地使用Jenkins进行持续集成和持续部署。</p></summary>
<category term="Development" scheme="https://freemankevin.uk/categories/Development/"/>
<category term="Development" scheme="https://freemankevin.uk/tags/Development/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Jenkins" scheme="https://freemankevin.uk/tags/Jenkins/"/>
</entry>
<entry>
<title>在 Linux 上部署 CIFS 服务端并挂载客户端</title>
<link href="https://freemankevin.uk/2025/01/10/cifs-linux/"/>
<id>https://freemankevin.uk/2025/01/10/cifs-linux/</id>
<published>2025-01-10T06:57:25.000Z</published>
<updated>2025-01-10T06:57:08.007Z</updated>
<content type="html"><![CDATA[<p> CIFS 是一种网络文件系统协议,可以在 Linux 和 Windows 系统间共享文件。CIFS 既可以作为客户端使用,也可以作为服务端提供共享服务。本文将介绍如何在 Linux 系统上安装并配置 CIFS 服务端,如何在 Linux 上挂载 CIFS 共享,以及如何在 Windows 上访问 CIFS 共享。我们将同时支持 CentOS、Debian 和 Windows 环境。</p><span id="more"></span><h2 id="安装和配置-CIFS-服务端"><a href="#安装和配置-CIFS-服务端" class="headerlink" title="安装和配置 CIFS 服务端"></a>安装和配置 CIFS 服务端</h2><h3 id="安装-Samba(CIFS-服务端)"><a href="#安装-Samba(CIFS-服务端)" class="headerlink" title="安装 Samba(CIFS 服务端)"></a>安装 Samba(CIFS 服务端)</h3><p>CIFS 服务端依赖于 Samba 来提供文件共享功能。首先,我们需要在 Linux 系统上安装 Samba。</p><h4 id="CentOS-RHEL"><a href="#CentOS-RHEL" class="headerlink" title="CentOS / RHEL"></a>CentOS / RHEL</h4><p>在 CentOS 或 RHEL 上安装 Samba:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo yum install -y samba samba-client samba-common</span><br></pre></td></tr></table></figure><h4 id="Debian-Ubuntu"><a href="#Debian-Ubuntu" class="headerlink" title="Debian / Ubuntu"></a>Debian / Ubuntu</h4><p>在 Debian 或 Ubuntu 上安装 Samba:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo apt update</span><br><span class="line">sudo apt install -y samba samba-common-bin</span><br></pre></td></tr></table></figure><h3 id="配置-Samba-共享"><a href="#配置-Samba-共享" class="headerlink" title="配置 Samba 共享"></a>配置 Samba 共享</h3><p>安装完成后,编辑 Samba 配置文件 <code>/etc/samba/smb.conf</code>,在文件末尾添加共享目录配置。假设我们要共享目录 <code>/srv/samba/share</code>,并使用用户名和密码进行访问。</p><p>编辑 <code>smb.conf</code> 配置文件:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo vi /etc/samba/smb.conf</span><br></pre></td></tr></table></figure><p>在文件末尾添加以下配置:</p><figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="section">[share]</span></span><br><span class="line"> <span class="attr">path</span> = /data/samba/share</span><br><span class="line"> <span class="attr">browsable</span> = <span class="literal">yes</span></span><br><span class="line"> <span class="attr">writable</span> = <span class="literal">yes</span></span><br><span class="line"> guest <span class="attr">ok</span> = <span class="literal">no</span></span><br><span class="line"> valid <span class="attr">users</span> = your_username</span><br></pre></td></tr></table></figure><ul><li><code>path</code>:指定共享目录路径</li><li><code>browsable</code>:允许浏览共享目录</li><li><code>writable</code>:允许写入</li><li><code>guest ok</code>:禁止匿名访问</li><li><code>valid users</code>:设置可以访问该共享的用户</li></ul><h3 id="创建共享目录并设置权限"><a href="#创建共享目录并设置权限" class="headerlink" title="创建共享目录并设置权限"></a>创建共享目录并设置权限</h3><p>确保共享目录存在,并设置适当的权限:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo mkdir -p /data/samba/share</span><br><span class="line">sudo chown -R your_username:your_username /data/samba/share</span><br></pre></td></tr></table></figure><h3 id="配置-Samba-用户"><a href="#配置-Samba-用户" class="headerlink" title="配置 Samba 用户"></a>配置 Samba 用户</h3><p>添加一个 Samba 用户,该用户将用于访问共享目录:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo smbpasswd -a your_username</span><br></pre></td></tr></table></figure><p>然后,启用 Samba 服务并使其开机自启:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo systemctl enable smb nmb</span><br><span class="line">sudo systemctl start smb nmb</span><br></pre></td></tr></table></figure><h3 id="检查-Samba-服务"><a href="#检查-Samba-服务" class="headerlink" title="检查 Samba 服务"></a>检查 Samba 服务</h3><p>验证 Samba 服务是否正在运行:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo systemctl status smb nmb</span><br></pre></td></tr></table></figure><p>确保服务已启动并正常运行。</p><h3 id="使用-Smbclient-查看共享"><a href="#使用-Smbclient-查看共享" class="headerlink" title="使用 Smbclient 查看共享"></a>使用 Smbclient 查看共享</h3><p>你在使用 Smbclient 连接共享时,错误 NT_STATUS_BAD_NETWORK_NAME 显示无法找到共享。你可以尝试列出所有共享,看看是否能正确获取共享列表:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">smbclient -L //192.168.1.100 -U your_username</span><br></pre></td></tr></table></figure><p>如果能列出共享列表,确认共享名称是否正确。否则,需要检查 Samba 配置文件或重新启动 Samba 服务。</p><h2 id="在-Linux-客户端挂载-CIFS-共享"><a href="#在-Linux-客户端挂载-CIFS-共享" class="headerlink" title="在 Linux 客户端挂载 CIFS 共享"></a>在 Linux 客户端挂载 CIFS 共享</h2><h3 id="安装-CIFS-工具"><a href="#安装-CIFS-工具" class="headerlink" title="安装 CIFS 工具"></a>安装 CIFS 工具</h3><h4 id="CentOS-RHEL-1"><a href="#CentOS-RHEL-1" class="headerlink" title="CentOS / RHEL"></a>CentOS / RHEL</h4><p>在 CentOS 或 RHEL 上,安装 <code>cifs-utils</code> 包:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo yum install -y cifs-utils</span><br></pre></td></tr></table></figure><h4 id="Debian-Ubuntu-1"><a href="#Debian-Ubuntu-1" class="headerlink" title="Debian / Ubuntu"></a>Debian / Ubuntu</h4><p>在 Debian 或 Ubuntu 上,安装 <code>cifs-utils</code> 包:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo apt update</span><br><span class="line">sudo apt install -y cifs-utils</span><br></pre></td></tr></table></figure><h3 id="创建挂载点"><a href="#创建挂载点" class="headerlink" title="创建挂载点"></a>创建挂载点</h3><p>在本地创建一个挂载点目录:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo mkdir -p /data/cifs</span><br></pre></td></tr></table></figure><h3 id="手动挂载-CIFS-共享"><a href="#手动挂载-CIFS-共享" class="headerlink" title="手动挂载 CIFS 共享"></a>手动挂载 CIFS 共享</h3><p>使用 <code>mount</code> 命令挂载 CIFS 共享。假设服务器 IP 地址为 <code>192.168.1.100</code>,共享名称为 <code>share</code>,挂载点为 <code>/data/cifs</code>,用户名和密码为 <code>your_username</code> 和 <code>your_password</code>。</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo mount -t cifs //192.168.1.100/share /data/cifs -o username=your_username,password=your_password</span><br></pre></td></tr></table></figure><h3 id="永久挂载-CIFS-共享"><a href="#永久挂载-CIFS-共享" class="headerlink" title="永久挂载 CIFS 共享"></a>永久挂载 CIFS 共享</h3><p>为了让 CIFS 共享在系统重启后自动挂载,我们需要将挂载配置添加到 <code>/etc/fstab</code> 文件中:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">//192.168.1.100/share /data/cifs cifs credentials=/etc/samba/.smbcredentials,uid=1000,gid=1000 0 0</span><br></pre></td></tr></table></figure><p>其中,<code>.smbcredentials</code> 文件保存了 CIFS 共享的用户名和密码。该文件的内容如下:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">username=your_username</span><br><span class="line">password=your_password</span><br></pre></td></tr></table></figure><p>确保该文件的权限为 <code>600</code>:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">chmod 600 /etc/samba/.smbcredentials</span><br></pre></td></tr></table></figure><p>这样配置后,CIFS 共享将在每次启动时自动挂载。</p><h2 id="在-Windows-客户端访问-CIFS-共享"><a href="#在-Windows-客户端访问-CIFS-共享" class="headerlink" title="在 Windows 客户端访问 CIFS 共享"></a>在 Windows 客户端访问 CIFS 共享</h2><h3 id="通过文件资源管理器访问"><a href="#通过文件资源管理器访问" class="headerlink" title="通过文件资源管理器访问"></a>通过文件资源管理器访问</h3><p>在 Windows 系统上,可以通过文件资源管理器访问 CIFS 共享:</p><ol><li>打开 <strong>文件资源管理器</strong>。</li><li>在地址栏中输入 <code>\\192.168.1.100\share</code>,然后按回车。</li><li>输入 CIFS 共享的用户名和密码。</li></ol><p>这样,Windows 就可以访问共享文件夹。</p><h2 id="批量挂载-CIFS-共享的自动化脚本"><a href="#批量挂载-CIFS-共享的自动化脚本" class="headerlink" title="批量挂载 CIFS 共享的自动化脚本"></a>批量挂载 CIFS 共享的自动化脚本</h2><p>如果你需要批量挂载多个 CIFS 共享,以下是一个 shell 脚本,它会自动挂载指定的多个 CIFS 共享并将挂载信息添加到 <code>/etc/fstab</code> 中。</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">#</span><span class="language-bash">!/bin/bash</span></span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">配置变量</span></span><br><span class="line">USERNAME="your_username" # CIFS 用户名</span><br><span class="line">PASSWORD="your_password" # CIFS 密码</span><br><span class="line">SHARE_PATH="//192.168.1.100/share" # CIFS 共享路径</span><br><span class="line">MOUNT_POINT="/data/cifs" # 本地挂载点</span><br><span class="line">CREDENTIALS_FILE="/etc/samba/.smbcredentials" # 凭据文件路径</span><br><span class="line">CIFS_PORT=445 # CIFS 使用的默认端口</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">检查操作系统类型</span></span><br><span class="line">OS_TYPE=""</span><br><span class="line">if [ -f /etc/os-release ]; then</span><br><span class="line"> . /etc/os-release</span><br><span class="line"> OS_TYPE=$ID</span><br><span class="line">else</span><br><span class="line"> echo "无法检测操作系统类型,脚本退出。"</span><br><span class="line"> exit 1</span><br><span class="line">fi</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">检查和安装 CIFS 客户端</span></span><br><span class="line">install_cifs_client() {</span><br><span class="line"> echo "检查并安装 CIFS 客户端工具..."</span><br><span class="line"> if [[ "$OS_TYPE" == "centos" || "$OS_TYPE" == "rhel" ]]; then</span><br><span class="line"> if ! rpm -q cifs-utils > /dev/null 2>&1; then</span><br><span class="line"> echo "安装 cifs-utils..."</span><br><span class="line"> yum install -y cifs-utils</span><br><span class="line"> else</span><br><span class="line"> echo "cifs-utils 已安装。"</span><br><span class="line"> fi</span><br><span class="line"> elif [[ "$OS_TYPE" == "debian" || "$OS_TYPE" == "ubuntu" ]]; then</span><br><span class="line"> if ! dpkg -l | grep -q cifs-utils; then</span><br><span class="line"> echo "安装 cifs-utils..."</span><br><span class="line"> apt-get update && apt-get install -y cifs-utils</span><br><span class="line"> else</span><br><span class="line"> echo "cifs-utils 已安装。"</span><br><span class="line"> fi</span><br><span class="line"> else</span><br><span class="line"> echo "不支持的操作系统类型:$OS_TYPE"</span><br><span class="line"> exit 1</span><br><span class="line"> fi</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">检查网络连通性</span></span><br><span class="line">check_network() {</span><br><span class="line"> echo "检查网络连通性..."</span><br><span class="line"> if ! ping -c 2 -W 2 $(echo $SHARE_PATH | awk -F'//' '{print $2}' | awk -F'/' '{print $1}') > /dev/null 2>&1; then</span><br><span class="line"> echo "无法访问服务器,请检查网络连接!"</span><br><span class="line"> exit 1</span><br><span class="line"> else</span><br><span class="line"> echo "网络连通正常。"</span><br><span class="line"> fi</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">检查 CIFS 端口连通性</span></span><br><span class="line">check_port() {</span><br><span class="line"> echo "检查 CIFS 端口 ($CIFS_PORT) 连通性..."</span><br><span class="line"> if ! ss -lnt | grep ":$CIFS_PORT" > /dev/null 2>&1; then</span><br><span class="line"> echo "端口 $CIFS_PORT 不可用,请检查防火墙设置!"</span><br><span class="line"> exit 1</span><br><span class="line"> else</span><br><span class="line"> echo "端口 $CIFS_PORT 连通正常。"</span><br><span class="line"> fi</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">创建挂载点目录</span></span><br><span class="line">create_mount_point() {</span><br><span class="line"> if [ ! -d "$MOUNT_POINT" ]; then</span><br><span class="line"> echo "创建挂载点目录:$MOUNT_POINT"</span><br><span class="line"> mkdir -p "$MOUNT_POINT"</span><br><span class="line"> else</span><br><span class="line"> echo "挂载点目录已存在:$MOUNT_POINT"</span><br><span class="line"> fi</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">创建凭据文件</span></span><br><span class="line">create_credentials_file() {</span><br><span class="line"> echo "创建凭据文件:$CREDENTIALS_FILE"</span><br><span class="line"> cat <<EOF > "$CREDENTIALS_FILE"</span><br><span class="line">username=$USERNAME</span><br><span class="line">password=$PASSWORD</span><br><span class="line">EOF</span><br><span class="line"> chmod 600 "$CREDENTIALS_FILE"</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">添加挂载配置到 /etc/fstab</span></span><br><span class="line">configure_fstab() {</span><br><span class="line"> echo "配置挂载到 /etc/fstab..."</span><br><span class="line"> if grep -q "$SHARE_PATH" /etc/fstab; then</span><br><span class="line"> echo "$SHARE_PATH 已存在于 /etc/fstab 中,跳过配置。"</span><br><span class="line"> else</span><br><span class="line"> echo "$SHARE_PATH $MOUNT_POINT cifs credentials=$CREDENTIALS_FILE,uid=0,gid=0 0 0" >> /etc/fstab</span><br><span class="line"> echo "挂载配置已添加到 /etc/fstab。"</span><br><span class="line"> fi</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">执行挂载</span></span><br><span class="line">mount_share() {</span><br><span class="line"> echo "执行挂载..."</span><br><span class="line"> mount -a</span><br><span class="line"> if mount | grep -q "$MOUNT_POINT"; then</span><br><span class="line"> echo "挂载成功!共享路径 $SHARE_PATH 已挂载到 $MOUNT_POINT"</span><br><span class="line"> else</span><br><span class="line"> echo "挂载失败,请检查配置!"</span><br><span class="line"> exit 1</span><br><span class="line"> fi</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">主函数</span></span><br><span class="line">main() {</span><br><span class="line"> install_cifs_client</span><br><span class="line"> check_network</span><br><span class="line"> check_port</span><br><span class="line"> create_mount_point</span><br><span class="line"> create_credentials_file</span><br><span class="line"> configure_fstab</span><br><span class="line"> mount_share</span><br><span class="line">}</span><br><span class="line"><span class="meta prompt_"></span></span><br><span class="line"><span class="meta prompt_"># </span><span class="language-bash">执行主函数</span></span><br><span class="line">main</span><br></pre></td></tr></table></figure><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本文介绍了如何在 CentOS 和 Debian 系统上安装和配置 CIFS 服务端,如何在客户端挂载 CIFS 共享,并在 Windows 客户端访问共享文件夹。通过批量挂载脚本,可以轻松管理多个 CIFS 共享并实现自动挂载。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;CIFS 是一种网络文件系统协议,可以在 Linux 和 Windows 系统间共享文件。CIFS 既可以作为客户端使用,也可以作为服务端提供共享服务。本文将介绍如何在 Linux 系统上安装并配置 CIFS 服务端,如何在 Linux 上挂载 CIFS 共享,以及如何在 Windows 上访问 CIFS 共享。我们将同时支持 CentOS、Debian 和 Windows 环境。</p></summary>
<category term="Linux" scheme="https://freemankevin.uk/categories/Linux/"/>
<category term="Mount" scheme="https://freemankevin.uk/tags/Mount/"/>
<category term="CIFS" scheme="https://freemankevin.uk/tags/CIFS/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
</entry>
<entry>
<title>如何测试 Linux 服务器网络带宽</title>
<link href="https://freemankevin.uk/2025/01/10/network/"/>
<id>https://freemankevin.uk/2025/01/10/network/</id>
<published>2025-01-10T05:57:25.000Z</published>
<updated>2025-01-10T03:33:24.145Z</updated>
<content type="html"><![CDATA[<p> 在本博客中,我们将介绍几款常用的网络带宽测试工具,包括 iPerf3、NetFlow/sFlow 和 Speedtest CLI。每个工具都具有独特的功能,适用于不同的网络性能测试需求。从简单的带宽测量到详细的流量分析,这些工具能够帮助网络管理员和开发人员快速评估网络性能、排查问题,优化网络设置。本文将为您提供详细的安装方法、配置技巧及使用实例,帮助您选择和高效使用这些工具,提升网络管理的能力。</p><span id="more"></span><h2 id="iPerf3"><a href="#iPerf3" class="headerlink" title="iPerf3"></a>iPerf3</h2><h3 id="背景介绍"><a href="#背景介绍" class="headerlink" title="背景介绍"></a>背景介绍</h3><p>iPerf3 是一个非常流行的开源网络性能测试工具,主要用于测量网络带宽、延迟以及丢包情况。它支持 TCP 和 UDP 两种协议,适用于多个操作系统(如 Linux、macOS 和 Windows)。iPerf3 通过客户端-服务器架构来进行网络性能测试,广泛应用于网络管理员和开发人员在进行网络优化、故障排查以及带宽评估时。</p><h3 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h3><h4 id="macOS"><a href="#macOS" class="headerlink" title="macOS"></a>macOS</h4><p>在 macOS 上,使用 Homebrew 安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">brew install iperf3</span><br></pre></td></tr></table></figure><h4 id="CentOS-RHEL-Fedora"><a href="#CentOS-RHEL-Fedora" class="headerlink" title="CentOS / RHEL / Fedora"></a>CentOS / RHEL / Fedora</h4><p>在 CentOS 或 RHEL 系统上,首先启用 EPEL 仓库,然后安装 iPerf3:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">sudo</span> yum install epel-release</span><br><span class="line"><span class="built_in">sudo</span> yum install iperf3</span><br></pre></td></tr></table></figure><h4 id="Debian-Ubuntu"><a href="#Debian-Ubuntu" class="headerlink" title="Debian / Ubuntu"></a>Debian / Ubuntu</h4><p>在 Debian 或 Ubuntu 上,可以直接使用 apt 包管理器安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">sudo</span> apt update</span><br><span class="line"><span class="built_in">sudo</span> apt install iperf3</span><br></pre></td></tr></table></figure><h3 id="使用方法"><a href="#使用方法" class="headerlink" title="使用方法"></a>使用方法</h3><h4 id="启动-iPerf3-服务端"><a href="#启动-iPerf3-服务端" class="headerlink" title="启动 iPerf3 服务端"></a>启动 iPerf3 服务端</h4><p>在目标机器上启动 iPerf3 服务端,监听默认端口 5201(可以指定其他端口)。</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">iperf3 -s</span><br></pre></td></tr></table></figure><h4 id="启动-iPerf3-客户端"><a href="#启动-iPerf3-客户端" class="headerlink" title="启动 iPerf3 客户端"></a>启动 iPerf3 客户端</h4><p>在测试机(客户端)上,指定服务端的 IP 地址并进行带宽测试。例如:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">iperf3 -c <server-ip> -t 30 -u -b 100M</span><br></pre></td></tr></table></figure><ul><li><code>-c <server-ip></code>:指定服务端的 IP 地址。</li><li><code>-t 30</code>:测试持续时间为 30 秒。</li><li><code>-u</code>:使用 UDP 协议(默认为 TCP)。</li><li><code>-b 100M</code>:指定 UDP 测试时的带宽为 100 Mbps。</li></ul><h4 id="测试其他参数"><a href="#测试其他参数" class="headerlink" title="测试其他参数"></a>测试其他参数</h4><ul><li>测试 10 个并发连接:</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">iperf3 -c <server-ip> -t 30 -P 10</span><br></pre></td></tr></table></figure><ul><li>测试 TCP 带宽:</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">iperf3 -c <server-ip> -t 30</span><br></pre></td></tr></table></figure><h3 id="结果输出"><a href="#结果输出" class="headerlink" title="结果输出"></a>结果输出</h3><p>iPerf3 测试结果将包括以下内容:</p><ul><li><strong>带宽</strong>:单位为 Mbps 或 Gbps。</li><li><strong>丢包率</strong>(仅 UDP):测量数据包的丢失情况。</li><li><strong>延迟</strong>:TCP 连接的 RTT(Round Trip Time)。</li><li><strong>抖动</strong>(仅 UDP):测量 UDP 流的抖动(变化率)。</li></ul><h2 id="NetFlow-sFlow"><a href="#NetFlow-sFlow" class="headerlink" title="NetFlow / sFlow"></a>NetFlow / sFlow</h2><h3 id="背景介绍-1"><a href="#背景介绍-1" class="headerlink" title="背景介绍"></a>背景介绍</h3><p>NetFlow 和 sFlow 是两种广泛使用的网络流量监控和带宽测试协议。NetFlow 最初由 Cisco 提出,并被许多网络设备支持,能够提供详细的网络流量分析,包括每个流的源 IP、目的 IP、端口号、协议类型等信息。而 sFlow 是一种采样协议,适用于需要大规模监控的环境,它通过随机采样流量来降低对网络性能的影响。两者都广泛应用于网络管理和监控,特别是用于分析网络带宽使用情况和流量模式。</p><h3 id="使用方法-1"><a href="#使用方法-1" class="headerlink" title="使用方法"></a>使用方法</h3><h4 id="NetFlow-安装与配置"><a href="#NetFlow-安装与配置" class="headerlink" title="NetFlow 安装与配置"></a>NetFlow 安装与配置</h4><h5 id="在路由器-交换机上启用-NetFlow"><a href="#在路由器-交换机上启用-NetFlow" class="headerlink" title="在路由器/交换机上启用 NetFlow"></a>在路由器/交换机上启用 NetFlow</h5><p>NetFlow 需要在支持 NetFlow 的网络设备(如 Cisco 路由器)上启用。以下是一个启用 NetFlow 的配置示例:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">flow exporter MY_EXPORTER</span><br><span class="line"> destination 192.168.1.100</span><br><span class="line"> <span class="built_in">source</span> GigabitEthernet0/0</span><br><span class="line"> transport udp 2055</span><br></pre></td></tr></table></figure><p>该命令将 NetFlow 数据导出到 IP 地址为 <code>192.168.1.100</code> 的收集器。</p><h5 id="安装-NetFlow-收集器"><a href="#安装-NetFlow-收集器" class="headerlink" title="安装 NetFlow 收集器"></a>安装 NetFlow 收集器</h5><p>在 Debian 或 CentOS 上安装 <code>nfdump</code>(NetFlow 数据收集工具):</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">sudo</span> apt install nfdump <span class="comment"># Debian/Ubuntu</span></span><br><span class="line"><span class="built_in">sudo</span> yum install nfdump <span class="comment"># CentOS/RHEL</span></span><br></pre></td></tr></table></figure><h5 id="使用-NetFlow-查看流量"><a href="#使用-NetFlow-查看流量" class="headerlink" title="使用 NetFlow 查看流量"></a>使用 NetFlow 查看流量</h5><p>使用以下命令查看流量数据:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">nfdump -R /path/to/flow/data -o csv</span><br></pre></td></tr></table></figure><h4 id="sFlow-安装与配置"><a href="#sFlow-安装与配置" class="headerlink" title="sFlow 安装与配置"></a>sFlow 安装与配置</h4><h5 id="在交换机-路由器上启用-sFlow"><a href="#在交换机-路由器上启用-sFlow" class="headerlink" title="在交换机/路由器上启用 sFlow"></a>在交换机/路由器上启用 sFlow</h5><p>启用 sFlow 功能,并指定数据导出目标:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">sflow <span class="built_in">enable</span></span><br><span class="line">sflow destination 192.168.1.100 6343</span><br></pre></td></tr></table></figure><h5 id="安装-sFlow-收集器"><a href="#安装-sFlow-收集器" class="headerlink" title="安装 sFlow 收集器"></a>安装 sFlow 收集器</h5><p>在 Debian 或 CentOS 上安装 <code>sflowtool</code>,这是一个常用的 sFlow 数据分析工具。</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">sudo</span> apt install sflowtool <span class="comment"># Debian/Ubuntu</span></span><br><span class="line"><span class="built_in">sudo</span> yum install sflowtool <span class="comment"># CentOS/RHEL</span></span><br></pre></td></tr></table></figure><h5 id="使用-sFlow-收集数据"><a href="#使用-sFlow-收集数据" class="headerlink" title="使用 sFlow 收集数据"></a>使用 sFlow 收集数据</h5><p>使用以下命令读取 sFlow 数据并进行分析:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">sflowtool -r /path/to/sflow/data</span><br></pre></td></tr></table></figure><h2 id="Speedtest-CLI"><a href="#Speedtest-CLI" class="headerlink" title="Speedtest CLI"></a>Speedtest CLI</h2><h3 id="背景介绍-2"><a href="#背景介绍-2" class="headerlink" title="背景介绍"></a>背景介绍</h3><p>Speedtest CLI 是由 Ookla 提供的一个命令行版本的 Speedtest 工具,广泛用于测试网络连接的下载速度、上传速度和延迟。通过它,用户可以直接从命令行界面进行测速,并获得详细的结果输出。它的优势在于可以快速集成到自动化脚本中,适合开发人员、系统管理员以及网络工程师进行带宽性能测试。</p><h3 id="安装-1"><a href="#安装-1" class="headerlink" title="安装"></a>安装</h3><h4 id="macOS-1"><a href="#macOS-1" class="headerlink" title="macOS"></a>macOS</h4><p>在 macOS 上使用 Homebrew 安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">brew install speedtest-cli</span><br></pre></td></tr></table></figure><h4 id="CentOS-RHEL-Fedora-1"><a href="#CentOS-RHEL-Fedora-1" class="headerlink" title="CentOS / RHEL / Fedora"></a>CentOS / RHEL / Fedora</h4><p>在 CentOS 或 RHEL 上,使用 <code>pip</code> 安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">sudo</span> yum install python3-pip</span><br><span class="line"><span class="built_in">sudo</span> pip3 install speedtest-cli</span><br></pre></td></tr></table></figure><h4 id="Debian-Ubuntu-1"><a href="#Debian-Ubuntu-1" class="headerlink" title="Debian / Ubuntu"></a>Debian / Ubuntu</h4><p>在 Debian 或 Ubuntu 上,可以直接通过 <code>apt</code> 安装:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line"><span class="built_in">sudo</span> apt update</span><br><span class="line"><span class="built_in">sudo</span> apt install speedtest-cli</span><br></pre></td></tr></table></figure><h3 id="使用方法-2"><a href="#使用方法-2" class="headerlink" title="使用方法"></a>使用方法</h3><h4 id="运行-Speedtest-测试"><a href="#运行-Speedtest-测试" class="headerlink" title="运行 Speedtest 测试"></a>运行 Speedtest 测试</h4><p>运行以下命令来测试与最近服务器之间的网络带宽:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli</span><br></pre></td></tr></table></figure><p>这将显示下载速度、上传速度以及延迟。</p><h4 id="选择特定服务器进行测试"><a href="#选择特定服务器进行测试" class="headerlink" title="选择特定服务器进行测试"></a>选择特定服务器进行测试</h4><p>首先列出所有可用的服务器:</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --list</span><br></pre></td></tr></table></figure><p>然后选择一个服务器进行测试(例如,选择 <code>12345</code> 作为服务器 ID):</p><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --server 12345</span><br></pre></td></tr></table></figure><h4 id="输出结果格式"><a href="#输出结果格式" class="headerlink" title="输出结果格式"></a>输出结果格式</h4><p>Speedtest CLI 支持以多种格式输出结果:</p><ul><li>输出为简洁文本格式:</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --simple</span><br></pre></td></tr></table></figure><ul><li>输出为 JSON 格式:</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --json</span><br></pre></td></tr></table></figure><ul><li>输出为 CSV 格式:</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --csv</span><br></pre></td></tr></table></figure><h3 id="测试其他参数-1"><a href="#测试其他参数-1" class="headerlink" title="测试其他参数"></a>测试其他参数</h3><ul><li>强制使用指定的下载服务器:</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --server <server-id></span><br></pre></td></tr></table></figure><ul><li>使用不同的连接类型(如 10Mbps):</li></ul><figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">speedtest-cli --bandwidth 10M</span><br></pre></td></tr></table></figure><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这些工具的背景和具体使用方法如下:</p><ul><li><strong>iPerf3</strong>:广泛用于网络带宽性能测试,支持多平台和多协议(TCP、UDP),通过客户端和服务端架构进行高效测试。</li><li><strong>NetFlow / sFlow</strong>:用于大规模网络流量监控,NetFlow 提供详细的流量信息,sFlow 使用采样方法减少对网络的影响,适用于流量分析和带宽使用评估。</li><li><strong>Speedtest CLI</strong>:适合测量公网带宽,通过命令行界面进行快速测试,支持自定义服务器和多种输出格式,非常适合自动化集成。</li></ul><p>选择合适的工具,能够帮助您在不同场景下精准评估和优化网络性能。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;在本博客中,我们将介绍几款常用的网络带宽测试工具,包括 iPerf3、NetFlow&#x2F;sFlow 和 Speedtest CLI。每个工具都具有独特的功能,适用于不同的网络性能测试需求。从简单的带宽测量到详细的流量分析,这些工具能够帮助网络管理员和开发人员快速评估网络性能、排查问题,优化网络设置。本文将为您提供详细的安装方法、配置技巧及使用实例,帮助您选择和高效使用这些工具,提升网络管理的能力。</p></summary>
<category term="Test" scheme="https://freemankevin.uk/categories/Test/"/>
<category term="Test" scheme="https://freemankevin.uk/tags/Test/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Network" scheme="https://freemankevin.uk/tags/Network/"/>
</entry>
<entry>
<title>升级 Linux 内核</title>
<link href="https://freemankevin.uk/2025/01/10/kernel/"/>
<id>https://freemankevin.uk/2025/01/10/kernel/</id>
<published>2025-01-10T04:57:25.000Z</published>
<updated>2025-01-10T03:15:31.668Z</updated>
<content type="html"><![CDATA[<p> 内核是操作系统的核心,控制着硬件和软件的交互。随着 Linux 内核的不断发展,升级到最新的内核版本不仅能提高性能,还能增强系统安全性。本教程将指导您如何在 CentOS 和 Debian 系统中升级 Linux 内核。</p><span id="more"></span><h2 id="查看当前内核版本"><a href="#查看当前内核版本" class="headerlink" title="查看当前内核版本"></a>查看当前内核版本</h2><p>在终端执行以下命令查看当前的内核版本:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">uname -r</span><br></pre></td></tr></table></figure><p>输出示例:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">4.18.0-240.el8.x86_64</span><br></pre></td></tr></table></figure><h2 id="安装必要的依赖"><a href="#安装必要的依赖" class="headerlink" title="安装必要的依赖"></a>安装必要的依赖</h2><p>在升级内核之前,我们需要确保已安装必要的工具和依赖。</p><h3 id="对于-CentOS-系统"><a href="#对于-CentOS-系统" class="headerlink" title="对于 CentOS 系统"></a>对于 CentOS 系统</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo yum install -y yum-utils</span><br></pre></td></tr></table></figure><h3 id="对于-Debian-系统"><a href="#对于-Debian-系统" class="headerlink" title="对于 Debian 系统"></a>对于 Debian 系统</h3><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo apt-get update</span><br><span class="line">sudo apt-get install -y linux-image-$(uname -r)</span><br></pre></td></tr></table></figure><h2 id="升级内核"><a href="#升级内核" class="headerlink" title="升级内核"></a>升级内核</h2><h3 id="方法-1:通过包管理器自动升级"><a href="#方法-1:通过包管理器自动升级" class="headerlink" title="方法 1:通过包管理器自动升级"></a>方法 1:通过包管理器自动升级</h3><ul><li><strong>CentOS</strong></li></ul><p>CentOS 系统通常会通过 <code>yum</code> 管理内核包,您可以通过以下命令来升级内核:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo yum update kernel</span><br></pre></td></tr></table></figure><p>执行完命令后,系统会自动下载并安装最新的内核版本,安装完成后重启系统使新内核生效。</p><ul><li><strong>Debian</strong></li></ul><p>在 Debian 系统中,您可以使用 <code>apt</code> 来安装最新的内核版本:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo apt-get update</span><br><span class="line">sudo apt-get install linux-image-amd64</span><br></pre></td></tr></table></figure><p>安装完成后,重启系统以使新的内核生效。</p><h3 id="方法-2:手动下载并安装"><a href="#方法-2:手动下载并安装" class="headerlink" title="方法 2:手动下载并安装"></a>方法 2:手动下载并安装</h3><p>如果您希望手动安装最新的内核,可以从 <a href="https://www.kernel.org/">Kernel.org</a> 下载源代码并编译安装。</p><ol><li>下载内核源代码:</li></ol><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.15.10.tar.xz</span><br></pre></td></tr></table></figure><ol start="2"><li>解压并进入源代码目录:</li></ol><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">tar -xvf linux-5.15.10.tar.xz</span><br><span class="line">cd linux-5.15.10</span><br></pre></td></tr></table></figure><ol start="3"><li>配置内核:</li></ol><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">make menuconfig</span><br></pre></td></tr></table></figure><p>此命令将启动图形化配置界面,您可以在其中选择或修改内核配置。</p><ol start="4"><li>编译内核:</li></ol><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">make -j$(nproc)</span><br></pre></td></tr></table></figure><ol start="5"><li>安装内核:</li></ol><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo make modules_install</span><br><span class="line">sudo make install</span><br></pre></td></tr></table></figure><p>安装完成后,重启系统,新的内核将在启动时生效。</p><h2 id="配置启动项"><a href="#配置启动项" class="headerlink" title="配置启动项"></a>配置启动项</h2><p>在使用新内核时,您需要确保该内核已经被添加到启动项中。在大多数情况下,<code>grub</code> 会自动检测并添加新的内核版本。</p><h3 id="更新-grub-配置"><a href="#更新-grub-配置" class="headerlink" title="更新 grub 配置"></a>更新 <code>grub</code> 配置</h3><ul><li><strong>CentOS</strong>:</li></ul><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo grub2-mkconfig -o /boot/grub2/grub.cfg</span><br></pre></td></tr></table></figure><ul><li><strong>Debian</strong>:</li></ul><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo update-grub</span><br></pre></td></tr></table></figure><h2 id="检查内核升级"><a href="#检查内核升级" class="headerlink" title="检查内核升级"></a>检查内核升级</h2><p>重启系统后,您可以通过以下命令检查当前内核版本,确认是否成功升级:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">uname -r</span><br></pre></td></tr></table></figure><p>如果输出的版本与您期望的一致,则表示内核升级成功。</p><h2 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h2><ul><li><strong>高危操作</strong>:内核升级是系统级别的重要操作,升级过程中如果出现问题,可能导致系统无法启动。务必在操作前做好备份,并确保能恢复到之前的状态。</li><li><strong>兼容性问题</strong>:某些驱动程序或硬件可能与新版本的内核不兼容。在升级前,请查阅相关的文档或发布说明,确保您的硬件和驱动支持新内核版本。</li><li><strong>内核模块</strong>:升级内核后,某些内核模块可能需要重新编译或安装。请确保所有必要的模块在新内核中正确加载。</li></ul>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;内核是操作系统的核心,控制着硬件和软件的交互。随着 Linux 内核的不断发展,升级到最新的内核版本不仅能提高性能,还能增强系统安全性。本教程将指导您如何在 CentOS 和 Debian 系统中升级 Linux 内核。</p></summary>
<category term="Linux" scheme="https://freemankevin.uk/categories/Linux/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Update" scheme="https://freemankevin.uk/tags/Update/"/>
<category term="Kernel" scheme="https://freemankevin.uk/tags/Kernel/"/>
</entry>
<entry>
<title>如何在 CentOS 和 Debian 上升级 OpenSSL 和 OpenSSH</title>
<link href="https://freemankevin.uk/2025/01/10/update-openssl-openssh/"/>
<id>https://freemankevin.uk/2025/01/10/update-openssl-openssh/</id>
<published>2025-01-10T03:57:25.000Z</published>
<updated>2025-01-10T03:06:02.568Z</updated>
<content type="html"><![CDATA[<p> OpenSSL 和 OpenSSH 是现代 Linux 系统中不可或缺的安全工具,广泛用于加密通讯、身份验证和保障网络安全。定期升级这两个组件是确保系统安全性和稳定性的必要操作。本文将介绍如何在 CentOS 和 Debian 系统上手动升级 OpenSSL 和 OpenSSH。</p><span id="more"></span><h2 id="升级-OpenSSL"><a href="#升级-OpenSSL" class="headerlink" title="升级 OpenSSL"></a>升级 OpenSSL</h2><p>OpenSSL 是一种广泛使用的开源工具包,用于实现加密协议。升级 OpenSSL 主要是为了确保系统使用最新的加密算法和安全修复。下面是升级 OpenSSL 的步骤:</p><h3 id="检查当前-OpenSSL-版本"><a href="#检查当前-OpenSSL-版本" class="headerlink" title="检查当前 OpenSSL 版本"></a>检查当前 OpenSSL 版本</h3><p>首先,查看当前系统上安装的 OpenSSL 版本,确保是否需要升级:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">openssl version</span><br></pre></td></tr></table></figure><p>输出类似于:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">OpenSSL 1.0.2k-fips 26 Jan 2017</span><br></pre></td></tr></table></figure><p>如果版本较旧,可以按照以下步骤进行升级。</p><h3 id="安装依赖包"><a href="#安装依赖包" class="headerlink" title="安装依赖包"></a>安装依赖包</h3><p>在开始安装之前,您需要安装一些开发工具和依赖库,这些工具将帮助您编译 OpenSSL 的源代码。根据您的系统类型,执行以下命令:</p><h4 id="对于-CentOS"><a href="#对于-CentOS" class="headerlink" title="对于 CentOS"></a>对于 CentOS</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo yum groupinstall "Development Tools"</span><br><span class="line">sudo yum install zlib-devel gcc-c++ make</span><br></pre></td></tr></table></figure><h4 id="对于-Debian"><a href="#对于-Debian" class="headerlink" title="对于 Debian"></a>对于 Debian</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo apt-get update</span><br><span class="line">sudo apt-get install build-essential zlib1g-dev</span><br></pre></td></tr></table></figure><h3 id="下载最新版本的-OpenSSL"><a href="#下载最新版本的-OpenSSL" class="headerlink" title="下载最新版本的 OpenSSL"></a>下载最新版本的 OpenSSL</h3><p>访问 <a href="https://www.openssl.org/source/">OpenSSL 官方网站</a> 下载最新版本的 OpenSSL 源码包。可以使用 <code>wget</code> 或浏览器下载并传输到服务器:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz</span><br></pre></td></tr></table></figure><p>解压下载的文件:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">tar -xvzf openssl-1.1.1l.tar.gz</span><br><span class="line">cd openssl-1.1.1l</span><br></pre></td></tr></table></figure><h3 id="编译和安装-OpenSSL"><a href="#编译和安装-OpenSSL" class="headerlink" title="编译和安装 OpenSSL"></a>编译和安装 OpenSSL</h3><p>在解压后的目录中,运行以下命令来编译和安装 OpenSSL:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">./config</span><br><span class="line">make</span><br><span class="line">sudo make install</span><br></pre></td></tr></table></figure><p>编译过程可能需要一些时间。安装完成后,您可以通过执行 <code>openssl version</code> 来确认安装是否成功。</p><h3 id="更新系统链接"><a href="#更新系统链接" class="headerlink" title="更新系统链接"></a>更新系统链接</h3><p>为了让系统识别新安装的 OpenSSL,您可能需要更新系统中的链接:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo ldconfig</span><br></pre></td></tr></table></figure><h3 id="验证安装"><a href="#验证安装" class="headerlink" title="验证安装"></a>验证安装</h3><p>再次执行 <code>openssl version</code> 来确认版本是否更新:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">openssl version</span><br></pre></td></tr></table></figure><p>输出应该类似于:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">OpenSSL 1.1.1l 24 Aug 2021</span><br></pre></td></tr></table></figure><p>至此,您已经成功升级了 OpenSSL。</p><h2 id="升级-OpenSSH"><a href="#升级-OpenSSH" class="headerlink" title="升级 OpenSSH"></a>升级 OpenSSH</h2><p>OpenSSH 是一种常用的远程登录协议,广泛用于在不安全的网络中安全地管理和访问服务器。升级 OpenSSH 可以提供更强的安全性和修复潜在的漏洞。以下是升级 OpenSSH 的步骤:</p><h3 id="检查当前-OpenSSH-版本"><a href="#检查当前-OpenSSH-版本" class="headerlink" title="检查当前 OpenSSH 版本"></a>检查当前 OpenSSH 版本</h3><p>与 OpenSSL 类似,首先检查当前系统上的 OpenSSH 版本:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">ssh -V</span><br></pre></td></tr></table></figure><p>输出类似于:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017</span><br></pre></td></tr></table></figure><p>如果版本较低,可以继续进行升级。</p><h3 id="安装依赖包-1"><a href="#安装依赖包-1" class="headerlink" title="安装依赖包"></a>安装依赖包</h3><p>升级 OpenSSH 也需要安装一些依赖包,具体依赖项如下:</p><h4 id="对于-CentOS-1"><a href="#对于-CentOS-1" class="headerlink" title="对于 CentOS"></a>对于 CentOS</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo yum install gcc make pam-devel pcre-devel</span><br></pre></td></tr></table></figure><h4 id="对于-Debian-1"><a href="#对于-Debian-1" class="headerlink" title="对于 Debian"></a>对于 Debian</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo apt-get install build-essential libssl-dev libpam-dev libpcre3-dev</span><br></pre></td></tr></table></figure><h3 id="下载-OpenSSH-源码包"><a href="#下载-OpenSSH-源码包" class="headerlink" title="下载 OpenSSH 源码包"></a>下载 OpenSSH 源码包</h3><p>访问 <a href="https://www.openssh.com/">OpenSSH 官方网站</a> 下载最新的 OpenSSH 源码包,或使用 <code>wget</code> 直接下载:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz</span><br></pre></td></tr></table></figure><p>解压文件并进入目录:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">tar -xvzf openssh-8.8p1.tar.gz</span><br><span class="line">cd openssh-8.8p1</span><br></pre></td></tr></table></figure><h3 id="编译和安装-OpenSSH"><a href="#编译和安装-OpenSSH" class="headerlink" title="编译和安装 OpenSSH"></a>编译和安装 OpenSSH</h3><p>在解压后的目录中,执行以下命令来编译和安装 OpenSSH:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">./configure</span><br><span class="line">make</span><br><span class="line">sudo make install</span><br></pre></td></tr></table></figure><p>此过程将安装新版本的 OpenSSH。</p><h3 id="更新-SSH-配置"><a href="#更新-SSH-配置" class="headerlink" title="更新 SSH 配置"></a>更新 SSH 配置</h3><p>安装完成后,您可能需要更新 <code>/etc/ssh/sshd_config</code> 配置文件以启用新版本的特性(如启用新的加密算法、更新配置项等)。在修改配置后,重启 SSH 服务以使更改生效:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo systemctl restart sshd</span><br></pre></td></tr></table></figure><h3 id="验证安装-1"><a href="#验证安装-1" class="headerlink" title="验证安装"></a>验证安装</h3><p>检查新安装的 OpenSSH 版本:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">ssh -V</span><br></pre></td></tr></table></figure><p>输出应该类似于:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021</span><br></pre></td></tr></table></figure><p>至此,OpenSSH 也已成功升级。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;OpenSSL 和 OpenSSH 是现代 Linux 系统中不可或缺的安全工具,广泛用于加密通讯、身份验证和保障网络安全。定期升级这两个组件是确保系统安全性和稳定性的必要操作。本文将介绍如何在 CentOS 和 Debian 系统上手动升级 OpenSSL 和 OpenSSH。</p></summary>
<category term="Linux" scheme="https://freemankevin.uk/categories/Linux/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="OpenSSL" scheme="https://freemankevin.uk/tags/OpenSSL/"/>
<category term="OpenSSH" scheme="https://freemankevin.uk/tags/OpenSSH/"/>
</entry>
<entry>
<title>Nginx 日志切割方案配置</title>
<link href="https://freemankevin.uk/2025/01/10/logrotate/"/>
<id>https://freemankevin.uk/2025/01/10/logrotate/</id>
<published>2025-01-10T02:57:25.000Z</published>
<updated>2025-01-10T02:51:12.469Z</updated>
<content type="html"><![CDATA[<p> Nginx 生成的访问日志和错误日志,随着时间的推移,会不断增大,可能会占用大量磁盘空间。为了确保系统性能和磁盘空间的有效利用,配置日志切割是一个非常重要的步骤。 本文将介绍如何在 CentOS 和 Debian 系统上配置 Nginx 日志切割,并且提供适用于 Docker 环境的解决方案。</p><span id="more"></span><h2 id="Linux环境"><a href="#Linux环境" class="headerlink" title="Linux环境"></a>Linux环境</h2><h3 id="安装-logrotate"><a href="#安装-logrotate" class="headerlink" title="安装 logrotate"></a>安装 <code>logrotate</code></h3><p><code>logrotate</code> 是一种日志文件管理工具,它会定期轮换、压缩、删除和邮件发送日志文件。大多数 Linux 系统默认已安装 <code>logrotate</code>,但如果您的系统中没有安装,可以按照以下步骤进行安装:</p><h4 id="在-CentOS-上安装"><a href="#在-CentOS-上安装" class="headerlink" title="在 CentOS 上安装"></a>在 CentOS 上安装</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> yum -y install logrotate</span></span><br></pre></td></tr></table></figure><h4 id="在-Debian-上安装"><a href="#在-Debian-上安装" class="headerlink" title="在 Debian 上安装"></a>在 Debian 上安装</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> apt-get install logrotate</span></span><br></pre></td></tr></table></figure><h3 id="配置日志切割"><a href="#配置日志切割" class="headerlink" title="配置日志切割"></a>配置日志切割</h3><p>日志切割配置文件位于 <code>/etc/logrotate.d/</code> 目录下。我们可以在该目录中为 Nginx 创建一个自定义的日志切割配置文件。</p><h4 id="进入配置目录"><a href="#进入配置目录" class="headerlink" title="进入配置目录"></a>进入配置目录</h4><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">cd</span> /etc/logrotate.d/</span></span><br></pre></td></tr></table></figure><h4 id="备份并重命名原有的-Nginx-配置文件"><a href="#备份并重命名原有的-Nginx-配置文件" class="headerlink" title="备份并重命名原有的 Nginx 配置文件"></a>备份并重命名原有的 Nginx 配置文件</h4><p>默认情况下,Nginx 可能已经有了一个日志切割配置文件。我们可以先将其备份并重命名:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> <span class="built_in">mv</span> nginx{,.bak}</span></span><br></pre></td></tr></table></figure><h4 id="创建-Nginx-的日志切割配置文件"><a href="#创建-Nginx-的日志切割配置文件" class="headerlink" title="创建 Nginx 的日志切割配置文件"></a>创建 Nginx 的日志切割配置文件</h4><p>创建一个新的配置文件 <code>nginx</code>,并编辑其中的日志切割规则:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> vim nginx</span></span><br></pre></td></tr></table></figure><h4 id="配置内容"><a href="#配置内容" class="headerlink" title="配置内容"></a>配置内容</h4><p>以下是一个日志切割的基本配置,按照天进行切割,保留30天的日志,进行压缩处理,并防止日志文件占用过多磁盘空间。</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">Nginx 日志切割配置</span></span><br><span class="line"></span><br><span class="line">/alldev/log/nginx/*.log {</span><br><span class="line"> daily # 按天切割</span><br><span class="line"> rotate 30 # 保留 30 天的日志</span><br><span class="line"> missingok # 如果日志文件丢失,不报错</span><br><span class="line"> notifempty # 如果日志文件为空,则不切割</span><br><span class="line"> compress # 切割后的日志文件进行压缩</span><br><span class="line"> nodelaycompress # 立即压缩,不延迟</span><br><span class="line"> copytruncate # 在复制日志内容后,截断日志文件</span><br><span class="line"> dateext # 使用日期后缀命名切割的日志文件</span><br><span class="line"> dateformat -%Y-%m-%d # 设置日期格式为 -YYYY-MM-DD</span><br><span class="line"> dateyesterday # 如果是昨天的日志,使用昨天日期</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h4 id="修改日志路径(可选)"><a href="#修改日志路径(可选)" class="headerlink" title="修改日志路径(可选)"></a>修改日志路径(可选)</h4><p>根据您的需求,您可以将日志存储路径配置为其他位置,例如,将日志存储到 <code>/data</code> 目录而非 <code>/var/log</code>,以避免占用系统盘空间。</p><p>如果您修改了日志路径,记得修改 Nginx 配置文件中的日志路径,并重启 Nginx 服务来应用更改。</p><h3 id="验证配置"><a href="#验证配置" class="headerlink" title="验证配置"></a>验证配置</h3><p>完成配置后,可以通过以下命令手动执行 <code>logrotate</code> 来验证配置是否正确:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> logrotate -d /etc/logrotate.d/nginx</span></span><br></pre></td></tr></table></figure><p>该命令会模拟日志切割,并打印出详细的调试信息。如果没有错误信息,说明配置成功。</p><p>如果您希望立即切割日志,可以使用以下命令:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> logrotate -f /etc/logrotate.d/nginx</span></span><br></pre></td></tr></table></figure><h2 id="Docker环境"><a href="#Docker环境" class="headerlink" title="Docker环境"></a>Docker环境</h2><p>如果您在 Docker 环境中运行 Nginx,日志切割的配置会稍有不同,因为 Docker 的日志存储通常是通过容器内部的文件系统进行管理的。</p><h3 id="配置-Docker-日志驱动"><a href="#配置-Docker-日志驱动" class="headerlink" title="配置 Docker 日志驱动"></a>配置 Docker 日志驱动</h3><p>首先,确保 Docker 配置了正确的日志驱动。我们可以通过以下命令查看当前的日志驱动设置:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash">docker info | grep <span class="string">"Logging Driver"</span></span></span><br></pre></td></tr></table></figure><p>通常推荐使用 <code>json-file</code> 日志驱动。确保 Docker 配置文件 <code>/etc/docker/daemon.json</code> 中配置了正确的日志驱动:</p><figure class="highlight json"><table><tr><td class="code"><pre><span class="line"><span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"log-driver"</span><span class="punctuation">:</span> <span class="string">"json-file"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"log-opts"</span><span class="punctuation">:</span> <span class="punctuation">{</span></span><br><span class="line"> <span class="attr">"max-size"</span><span class="punctuation">:</span> <span class="string">"10m"</span><span class="punctuation">,</span></span><br><span class="line"> <span class="attr">"max-file"</span><span class="punctuation">:</span> <span class="string">"3"</span></span><br><span class="line"> <span class="punctuation">}</span></span><br><span class="line"><span class="punctuation">}</span></span><br></pre></td></tr></table></figure><p>这将设置 Docker 容器的日志文件大小限制为 10MB,并且最多保留 3 个日志文件。</p><h3 id="配置日志切割-1"><a href="#配置日志切割-1" class="headerlink" title="配置日志切割"></a>配置日志切割</h3><p>可以使用主机上的 <code>logrotate</code> 来管理 Docker 容器日志。日志文件通常位于 <code>/var/lib/docker/containers/<container_id>/</code> 目录下。</p><p>您可以通过创建一个 <code>docker-nginx</code> 配置文件来管理这些日志文件。创建并编辑该文件:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> vim /etc/logrotate.d/docker-nginx</span></span><br></pre></td></tr></table></figure><p>然后添加以下内容:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_"># </span><span class="language-bash">Docker Nginx 容器日志切割配置</span></span><br><span class="line"></span><br><span class="line">/var/lib/docker/containers/*/*.log {</span><br><span class="line"> daily # 按天切割</span><br><span class="line"> rotate 30 # 保留 30 天的日志</span><br><span class="line"> missingok # 如果日志文件丢失,不报错</span><br><span class="line"> notifempty # 如果日志文件为空,则不切割</span><br><span class="line"> compress # 切割后的日志文件进行压缩</span><br><span class="line"> nodelaycompress # 立即压缩,不延迟</span><br><span class="line"> copytruncate # 在复制日志内容后,截断日志文件</span><br><span class="line"> dateext # 使用日期后缀命名切割的日志文件</span><br><span class="line"> dateformat -%Y-%m-%d # 设置日期格式为 -YYYY-MM-DD</span><br><span class="line">}</span><br></pre></td></tr></table></figure><h3 id="重启-Docker-服务"><a href="#重启-Docker-服务" class="headerlink" title="重启 Docker 服务"></a>重启 Docker 服务</h3><p>完成配置后,记得重启 Docker 服务以应用更改:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> systemctl restart docker</span></span><br></pre></td></tr></table></figure><h3 id="验证-Docker-日志切割"><a href="#验证-Docker-日志切割" class="headerlink" title="验证 Docker 日志切割"></a>验证 Docker 日志切割</h3><p>通过以下命令查看 Docker 容器的日志是否在按预期切割:</p><figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta prompt_">$ </span><span class="language-bash"><span class="built_in">sudo</span> logrotate -f /etc/logrotate.d/docker-nginx</span></span><br></pre></td></tr></table></figure><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>通过上述步骤,您可以在 CentOS、Debian 系统以及 Docker 环境中配置 Nginx 日志切割。这将帮助您有效地管理 Nginx 日志文件,避免占用过多磁盘空间,并确保系统运行的稳定性。</p><p>如果您的 Nginx 日志路径不同,或者有特殊的需求,可以根据实际情况调整配置。</p>]]></content>
<summary type="html"><p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Nginx 生成的访问日志和错误日志,随着时间的推移,会不断增大,可能会占用大量磁盘空间。为了确保系统性能和磁盘空间的有效利用,配置日志切割是一个非常重要的步骤。 本文将介绍如何在 CentOS 和 Debian 系统上配置 Nginx 日志切割,并且提供适用于 Docker 环境的解决方案。</p></summary>
<category term="Linux" scheme="https://freemankevin.uk/categories/Linux/"/>
<category term="Linux" scheme="https://freemankevin.uk/tags/Linux/"/>
<category term="Nginx" scheme="https://freemankevin.uk/tags/Nginx/"/>
<category term="Logrotate" scheme="https://freemankevin.uk/tags/Logrotate/"/>
</entry>
</feed>